Glossary
Multi-factor authentication (MFA)
Requiring a second proof of identity beyond a password. The single highest-return security control for an SME.
Multi-factor authentication asks for something more than a password, usually a code, a prompt or a hardware key, so a stolen password alone is not enough to get in. Microsoft's data has it blocking the overwhelming majority of automated account-compromise attacks, and stolen credentials are the entry point in a large share of breaches.
It reduces how often you get hit, the frequency term in expected annual loss, across ransomware, data breach and BEC at once. It does not stop lookalike-domain spoofing, and weak second factors are bypassed by adversary-in-the-middle phishing, so use phishing-resistant factors where money moves. If you do one thing, do this one.