Why Cyber Essentials keeps putting Multi-Factor Authentication front and centre
When we carry out Cyber Essentials assessments, one issue appears again and again.
Accounts without Multi-Factor Authentication.
It’s one of the most common reasons organisations fail Cyber Essentials — and one of the easiest security gaps for attackers to exploit.
For SMEs in particular, this control is far more powerful than many realise.
The Reality: One Password Is Not Security
If an account can sign in with just a password, it’s exposed.
It doesn’t matter whether it’s:
- A standard user account
- An admin account
- A shared mailbox
- A service account
- A Teams room system
- An SMTP relay
If it authenticates with one factor, it’s a potential entry point.
Attackers don’t care what the account was originally created for. They care whether it lets them into your environment.
And if it does, they’ll use it.
What Cyber Essentials Actually Requires
The guidance from both the NCSC and IASME, who run the Cyber Essentials scheme, is clear.
Multi-Factor Authentication must be enforced for all interactive logins.
Not:
- “Most users”
- “Only administrators”
- “High-risk accounts”
- “When we remember”
All interactive access.
This is because credential theft remains one of the most common attack methods used against small and medium-sized businesses.
Cyber Essentials exists to stop the attacks that happen most often.
MFA is one of the controls that does exactly that.
What We See During Cyber Essentials Assessments
When we review environments as part of Cyber Essentials certification, the MFA issues are usually predictable.
For example:
Temporary MFA exclusions
Someone needed quick access and MFA was disabled “for now”.
It stayed disabled.
Leaver accounts reused
An employee leaves. Their account gets reused internally.
But sign-in wasn’t blocked first.
Service accounts forgotten
Created years ago, still running quietly, never reviewed.
Shared systems overlooked
Meeting rooms, shared mailboxes or automation services not included in MFA policy.
Each one looks harmless on its own.
But attackers only need one account.
Why SMEs Often Underestimate Cyber Essentials
Many SME owners look at Cyber Essentials and think the controls seem simple.
That’s exactly the point.
The scheme focuses on the five technical controls that stop the majority of common attacks:
- Firewalls
- Secure configuration
- Access control
- Malware protection
- Security updates
- Multi-Factor Authentication
Individually, these controls are not complicated.
Applied consistently across an organisation, they become extremely effective.
Cyber Essentials is powerful because it forces organisations to apply these controls properly — and then prove they’ve done it.
MFA: The Small Control With the Biggest Impact
If you could choose one control that blocks a huge percentage of account compromise attacks, it would be Multi-Factor Authentication.
It stops:
- Password spraying
- Credential stuffing
- Phishing-led account takeover
- Stolen password reuse
Which is exactly why Cyber Essentials requires it.
The Auditor’s View
When an organisation fails Cyber Essentials because of MFA gaps, it’s rarely because they didn’t care about security.
It’s usually because nobody had stepped back and asked the simple question:
“Does every account that can sign in require MFA?”
Once businesses ask that question properly, the gap becomes obvious.
And once it’s fixed, the organisation becomes significantly harder to compromise.
Final Thoughts
For SMEs, cybersecurity doesn’t need to start with expensive technology.
It starts with getting the fundamentals right.
Multi-Factor Authentication is one of those fundamentals.
And Cyber Essentials exists to make sure it’s actually in place.
Get Certified.
