Why Cyber Essentials keeps putting Multi-Factor Authentication front and centre
When we carry out Cyber Essentials assessments, one issue appears again and again.
Accounts without Multi-Factor Authentication.
It’s one of the most common reasons organisations fail Cyber Essentials — and one of the easiest security gaps for attackers to exploit.
For SMEs in particular, this control is far more powerful than many realise.
If an account can sign in with just a password, it’s exposed.
It doesn’t matter whether it’s:
If it authenticates with one factor, it’s a potential entry point.
Attackers don’t care what the account was originally created for. They care whether it lets them into your environment.
And if it does, they’ll use it.
The guidance from both the NCSC and IASME, who run the Cyber Essentials scheme, is clear.
Multi-Factor Authentication must be enforced for all interactive logins.
Not:
All interactive access.
This is because credential theft remains one of the most common attack methods used against small and medium-sized businesses.
Cyber Essentials exists to stop the attacks that happen most often.
MFA is one of the controls that does exactly that.
When we review environments as part of Cyber Essentials certification, the MFA issues are usually predictable.
For example:
Temporary MFA exclusions
Someone needed quick access and MFA was disabled “for now”.
It stayed disabled.
Leaver accounts reused
An employee leaves. Their account gets reused internally.
But sign-in wasn’t blocked first.
Service accounts forgotten
Created years ago, still running quietly, never reviewed.
Shared systems overlooked
Meeting rooms, shared mailboxes or automation services not included in MFA policy.
Each one looks harmless on its own.
But attackers only need one account.
Many SME owners look at Cyber Essentials and think the controls seem simple.
That’s exactly the point.
The scheme focuses on the five technical controls that stop the majority of common attacks:
Individually, these controls are not complicated.
Applied consistently across an organisation, they become extremely effective.
Cyber Essentials is powerful because it forces organisations to apply these controls properly — and then prove they’ve done it.
If you could choose one control that blocks a huge percentage of account compromise attacks, it would be Multi-Factor Authentication.
It stops:
Which is exactly why Cyber Essentials requires it.
When an organisation fails Cyber Essentials because of MFA gaps, it’s rarely because they didn’t care about security.
It’s usually because nobody had stepped back and asked the simple question:
“Does every account that can sign in require MFA?”
Once businesses ask that question properly, the gap becomes obvious.
And once it’s fixed, the organisation becomes significantly harder to compromise.
For SMEs, cybersecurity doesn’t need to start with expensive technology.
It starts with getting the fundamentals right.
Multi-Factor Authentication is one of those fundamentals.
And Cyber Essentials exists to make sure it’s actually in place.
Get Certified.