Picture this, you come into work on Monday, open your email and discover that there have been multiple emails sent from your work account over the weekend. What could have happened? Most cyberattacks don’t start from hackers breaking through layers of security, they start with weak or stolen passwords.

Why are passwords so valuable to attackers? The passwords of your employees provide authentication. These passwords are normally linked to business email accounts, which often contain information in them about financial systems, company files, and customer information. Once an attacker gains access to your account, they can often blend in with normal traffic quite easily.

Passwords get stolen in a multitude of ways. Phishing emails: People aren’t perfect; attackers send emails that try to look like they are from co-workers, trusted companies or higher-ups. The purpose of these emails is to try to get the employees to click a link and sign in on a new login page that has been specially crafted to steal their credentials. Data Breaches: Large websites and companies get targeted every year. Just recently, Carnival Corporation had a data breach affecting about 6 million travelers, leaking data such as names, addresses, Dates of Birth, Driver’s license numbers, and passport numbers. If an employee reuses passwords across many different services, this can lead to their work email being compromised.

Many small businesses often believe they are too small to be targeted by such attacks. Unfortunately, attackers often look for easy targets rather than large, complex ones. The good news is that this problem has a solution. While multi-factor authentication (MFA) does not prevent credentials from being stolen, it does make stolen credentials much harder for attackers to use by requiring an additional verification step. Combined with unique passwords, security awareness training, and a password manager, MFA can help make your company a much harder target.

I’ve had many users tell me they don’t like having to type in a code every time or even every few times they log in to company resources. The truth is that MFA can stop many attacks before they even start. Even if your password is stolen, an attacker will not be able to sign in to your account without the second authentication factor. Organizations can take this protection even further with Conditional Access policies, which can require additional verification when a sign-in appears risky, comes from an unfamiliar location, or originates from an unmanaged device. Together, MFA and Conditional Access create multiple layers of defense that make it much harder for attackers to gain access to company resources.

Using unique passwords makes them harder to guess or crack, and pairing them with a password manager reduces the need for users to memorize complex credentials. Security awareness training adds another important layer by teaching employees how credential theft happens in the first place. Through training, users can learn how to spot phishing emails, avoid fake login pages, recognize suspicious links or attachments, and understand the risks of password reuse. When employees are trained to pause and verify before entering their credentials, they become much less likely to hand those credentials directly to an attacker.

Keeping users up to date on what they could potentially be facing, whether that be phishing emails or malicious website links, in an era where technology is advancing every day, it is our job to stay vigilant and keep our users sharp.