MFA, Sardines, and the Myth of Being "Too Small to Target"
More than 60% of cyberattacks target small and mid-sized businesses
Most executives today would never leave the front door of their office wide open. But when it comes to cybersecurity, too many still leave the digital door unlocked. I recently heard a story from a colleague that perfectly captures why reasonable security practices like Multi-Factor Authentication (MFA) are so critical—and why some businesses are setting themselves up to get caught.
His client refused to implement Multi-Factor Authentication (MFA).
If you’re not familiar, MFA is simple: before I let you into my network, you prove you're you. A username and password aren’t enough anymore—they’re too easy to steal. MFA means confirming your identity with a text, a code that refreshes every 60 seconds, or even a live video of your face.
How good is it? Microsoft research shows MFA blocks more than 99% of account compromise attacks.
So why resist?
When the MSP asked, the executive said, "It’s too cumbersome. It slows people down. Besides, we’re small. Cybercriminals aren't interested in us."
Here’s reality: Neuroscience shows that after about three weeks, MFA becomes just another automatic habit, like brushing your teeth.
And that "we're too small" excuse? More than 60% of cyberattacks target small and mid-sized businesses, according to the FBI and Verizon. The average loss? Between $120,000 and $1.24 million.
I suggested to the MSP that he ask the executive what the loss of $120,000 would do to the company's growth plans and to his bonus.
Small doesn’t mean safe. It just means you’re easier to net.
It reminds me of a trip my wife and I took to Portugal. We toured a sardine factory in Porto that processed 40,000 sardines a day. The fishermen didn’t pick them one by one. They caught whatever got swept into the net.
You don’t want your business to be just another sardine.