Business email is the single most targeted attack vector for cybercriminals. Across the United Kingdom, email accounts are compromised every day — not through sophisticated hacking techniques, but through stolen, guessed, or phished passwords. Once an attacker gains access to a business email account, they can read confidential correspondence, impersonate the account holder to send fraudulent messages, access connected cloud services, and use the compromised account as a launching pad for further attacks against colleagues, clients, and suppliers.
Multi-factor authentication (MFA) is the single most effective countermeasure against email account compromise. According to Microsoft, enabling MFA blocks over 99.9% of automated account attacks. Despite this, a significant proportion of UK businesses have not yet implemented MFA across all their email accounts — leaving themselves exposed to a threat that is both pervasive and entirely preventable.
This guide explains what MFA is, why it is essential for business email security, how to implement it properly, and how to address the common objections that prevent businesses from adopting it.
What Is Multi-Factor Authentication?
Multi-factor authentication is a security mechanism that requires users to provide two or more forms of verification before they can access an account. The principle is straightforward: even if an attacker steals your password, they still cannot access your account because they do not possess the second factor.
Authentication factors fall into three categories. Something you know — a password, PIN, or security question. Something you have — a mobile phone, hardware security key, or authentication app. Something you are — a fingerprint, facial recognition, or other biometric. MFA requires at least two factors from different categories. A password (something you know) combined with a code from an authentication app on your phone (something you have) is the most common implementation for business email.
As of the latest Cyber Essentials technical requirements, multi-factor authentication is required for all cloud services and remote access where it is available. For UK businesses pursuing or maintaining Cyber Essentials certification — which is mandatory for many government contracts and increasingly expected by enterprise clients — implementing MFA on all email accounts is not optional. It is a certification requirement.
Why Passwords Alone Are Not Enough
To understand why MFA is essential, it helps to understand why passwords, by themselves, provide inadequate protection. There are several reasons passwords fail as a sole defence.
Password Reuse
Despite years of security awareness efforts, password reuse remains endemic. Studies consistently show that over 60% of people use the same password across multiple accounts. When a password is compromised in one data breach — perhaps from a social media platform or an online retailer — attackers try that same password against business email accounts. This technique, known as credential stuffing, is automated and highly effective.
Phishing Attacks
Phishing emails designed to steal login credentials are increasingly sophisticated. Attackers create convincing replicas of Microsoft 365 login pages, send emails that appear to come from IT support, or exploit current events to create urgency. Even security-conscious employees can be deceived by a well-crafted phishing email. Once the credentials are entered, the attacker has immediate access.
Brute Force and Spray Attacks
Automated tools allow attackers to try millions of password combinations against email accounts. Password spraying — where common passwords are tried against many accounts simultaneously — is particularly effective because it avoids account lockout thresholds. With MFA enabled, even a successfully guessed password is useless without the second factor.
MFA Methods Compared
Not all MFA methods provide the same level of security. Understanding the options helps you choose the right approach for your business.
| MFA Method | Security Level | User Experience | Cost | Recommended |
|---|---|---|---|---|
| SMS codes | Low-Medium | Familiar but slow | Free | Better than nothing, but avoid if possible |
| Authenticator app (TOTP) | Medium-High | Quick and reliable | Free | Good baseline for most businesses |
| Microsoft Authenticator push | High | Very convenient | Free | Recommended for Microsoft 365 users |
| Number matching (push) | Very High | Slightly more effort | Free | Strongly recommended — prevents MFA fatigue attacks |
| FIDO2 hardware key | Highest | Physical key required | £25-50 per key | Best for high-risk accounts (admins, finance) |
Why SMS Is the Weakest Option
SMS-based MFA, where a code is sent to your mobile phone via text message, is the weakest form of multi-factor authentication. SMS messages can be intercepted through SIM swapping attacks, where an attacker convinces your mobile provider to transfer your number to a new SIM. SMS messages are also delivered in plain text over the mobile network, making them vulnerable to interception. Whilst SMS MFA is significantly better than no MFA at all, authenticator apps and hardware keys provide meaningfully stronger protection.
Recommended MFA Configuration
- Microsoft Authenticator with number matching for all users
- FIDO2 hardware keys for administrator accounts
- Conditional access policies requiring MFA from untrusted locations
- MFA enforced on all cloud applications, not just email
- Legacy authentication protocols blocked entirely
- Regular review of MFA registration and compliance
Weak MFA Configuration
- SMS codes as the only MFA method
- MFA optional or self-service only
- Admin accounts using the same MFA as standard users
- MFA applied to email only, not other cloud apps
- Legacy authentication still permitted (bypasses MFA)
- No monitoring of MFA compliance or sign-in risks
Implementing MFA in Microsoft 365: A Step-by-Step Approach
For UK businesses using Microsoft 365 — which is the vast majority — implementing MFA is a structured process that, when done correctly, causes minimal disruption to your team.
Phase 1: Preparation
Before enabling MFA, communicate clearly with your team about what is changing and why. Provide written guidance on how to set up the Microsoft Authenticator app. Ensure all users have a compatible smartphone. Identify any shared mailboxes or service accounts that may need special handling. Plan the rollout in stages rather than enabling MFA for everyone simultaneously.
Phase 2: Pilot Group
Start with a small pilot group — typically IT staff and willing early adopters. This allows you to identify any issues, refine your support documentation, and build internal expertise before the wider rollout. Monitor the pilot group for a week or two, collecting feedback and resolving any problems.
Phase 3: Staged Rollout
Roll out MFA department by department or team by team. Provide hands-on support during each wave, with IT staff available to help users configure their authenticator app. Allow a grace period (typically 14 days) during which users are prompted to register for MFA but can still sign in without it. After the grace period, enforce MFA for all users.
Phase 4: Enforcement and Monitoring
Once all users are enrolled, enforce MFA across the organisation and block legacy authentication protocols that bypass MFA. Monitor sign-in logs for users who have not completed MFA registration, failed MFA attempts that could indicate an attack, and unusual sign-in patterns that warrant investigation.
Addressing Common MFA Objections
Despite the clear security benefits, some businesses resist MFA implementation. Here are the most common objections and how to address them.
"It will slow my team down." With the Microsoft Authenticator app and number matching, the MFA prompt adds approximately five seconds to the sign-in process. Most users only encounter this once or twice a day, as Microsoft remembers trusted devices. The five seconds of inconvenience is vastly outweighed by the protection against account compromise.
"Not everyone has a smartphone." For the small number of users without a compatible smartphone, hardware security keys such as the YubiKey provide an excellent alternative. These are small USB devices that cost between £25 and £50 each and provide the highest level of MFA security available.
"We are too small to be targeted." Automated attacks do not discriminate by company size. Credential stuffing, password spraying, and mass phishing campaigns target every accessible email account regardless of the organisation behind it. Small businesses are often seen as easier targets precisely because they are less likely to have MFA enabled.
"It is too complicated to set up." For businesses using Microsoft 365, MFA can be configured and rolled out within a week with proper planning. A managed IT provider like Cloudswitched handles the entire process, from initial configuration to user training and ongoing support.
Beyond MFA: Conditional Access Policies
For businesses on Microsoft 365 Business Premium or higher, conditional access policies take email security further. These policies allow you to define rules that control access based on conditions such as user location, device compliance status, risk level, and application sensitivity. For example, you might allow MFA-authenticated access from the United Kingdom but block sign-in attempts from countries where your business has no operations. Or you might require MFA for all access from personal devices but allow trusted corporate devices to sign in with a single factor.
The Information Commissioner's Office (ICO) considers multi-factor authentication to be a standard security measure that organisations should implement to protect personal data. Failing to implement MFA when it is readily available — as it is for virtually all cloud email platforms — could be viewed as a failure to implement appropriate technical measures under UK GDPR Article 32. In the event of a data breach, the ICO may consider the absence of MFA as an aggravating factor when determining enforcement action.
How Cloudswitched Implements MFA for UK Businesses
At Cloudswitched, MFA implementation is a standard part of our security service for every client. We configure Microsoft 365 MFA with number matching enabled, set up conditional access policies tailored to your business, provide user-friendly documentation and hands-on support during rollout, monitor MFA compliance and sign-in risk continuously, and ensure your configuration meets Cyber Essentials requirements. We understand that security measures need to be balanced with usability. Our approach ensures your team is protected without creating unnecessary friction in their daily work.
Secure Your Business Email Today
Cloudswitched helps UK businesses implement MFA across Microsoft 365 with minimal disruption. From configuration and conditional access policies to user training and ongoing monitoring, we handle the entire process. If your business email is not yet protected by MFA, get in touch today — it is one of the most impactful security improvements you can make.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.