When a Donegal accountancy firm transferred €18,000 to fraudsters after falling victim to a business email compromise attack, the one control that would have stopped it was Multi-Factor Authentication on the email account that was compromised. They had no MFA on their Microsoft 365 environment. They had no cyber insurance. And they had no way to recover the funds. The attack succeeded because an attacker guessed a password and found no second layer of verification waiting for them.
This is not an isolated incident. The NCSC Ireland has consistently identified the absence of MFA as one of the most significant contributing factors in successful cyberattacks against Irish organisations. MFA blocks the vast majority of automated credential compromise attacks. For an Irish SME, it offers an exceptionally high return on a modest investment in both time and cost. The challenge is not understanding why MFA matters — it is rolling it out in a way that minimises disruption and maximises adoption.[^1]
WHAT: A Phased Approach That Works for Irish Businesses
Rolling out MFA across an organisation does not need to be a disruptive, all-at-once event. A phased approach — starting with the highest-risk systems and working towards the most advanced protection — allows staff to adapt, gives your IT team time to address issues as they arise, and produces a measurable security improvement at each stage rather than requiring everything to be perfect before anything is protected.
The roadmap below moves from Essential 8 Maturity Level 1 alignment to full CyFUN Protect compliance — the framework the NCSC Ireland recommends as the preferred approach for demonstrating NIS2 readiness.
Phase 1 — Email and cloud applications. This is where most attacks begin and where MFA delivers the greatest immediate benefit. Enable MFA for every user account accessing email and cloud productivity tools — Microsoft 365 or Google Workspace. Use the Microsoft Authenticator app or Google Authenticator rather than SMS codes, which can be intercepted. Start with a pilot group of ten to fifteen users, resolve any support issues, and then roll out to the full organisation. This phase aligns with Essential 8 Maturity Level 1 and the CyFUN Protect baseline. A compromised email account without MFA is the starting point for invoice fraud, data exfiltration, and supply chain attacks — protecting email first is protecting everything that flows through it.[^2]
Phase 2 — VPN and remote access. With remote and hybrid work now standard across Irish businesses, VPN connections and remote desktop gateways are prime targets. An attacker who compromises a VPN credential without MFA has direct access to your internal network. Extend MFA to all remote access points — this may require a dedicated authenticator app or hardware tokens for higher-risk users. The cost is modest; the protection is significant.
Phase 3 — Privileged accounts. Administrator accounts — for servers, Microsoft 365, network equipment, and business applications — hold the keys to your entire operation. If an attacker compromises a Global Administrator account in Microsoft 365, they can access every mailbox, change every password, and modify every security setting in your environment. Protect every privileged account with the strongest available MFA method, ideally a hardware security key. Keep the number of Global Administrators to the absolute minimum — two is typically sufficient for an SME.
Phase 4 — Phishing-resistant MFA. Standard MFA — authenticator apps and SMS codes — can still be bypassed by sophisticated attackers using adversary-in-the-middle phishing or MFA fatigue attacks. FIDO2 security keys and passkeys address this vulnerability by cryptographically binding authentication to the legitimate website, making it impossible for an attacker to relay your authentication to a fake site. This is the highest level of assurance available and the goal of the CyFUN Protect framework for Irish organisations seeking to demonstrate NIS2 compliance.
Does your business have MFA enabled on every account, or just most of them? Book a free 20-minute strategy call — a thirty-minute review of your Microsoft 365 or Google Workspace configuration will identify exactly where the gaps are.
WHAT NOW: Managing the "My Staff Will Hate It" Objection
The most common reason Irish SME owners give for delaying MFA is user resistance. Staff find it inconvenient. They complain. They bypass it where they can. This concern is understandable, but the solution is communication and process rather than delay.
Explain the specific risk to your team. Share a real example — the Donegal accountancy firm, the 2021 HSE attack, any recent incident that is close to your sector or geography. Make the threat concrete rather than abstract. Then frame MFA not as an imposition but as protection for them personally: many people use the same passwords across work and personal accounts, and a compromised work account can expose their personal accounts too.
Choose methods that minimise friction. Authenticator apps are generally well-received because they are quick — a single tap on a phone. SMS codes are slightly more disruptive but may be appropriate for a transitional period. Start with Phase 1 only and let staff adjust before moving to Phase 2. Provide hands-on training, not just an email. Offer dedicated support for the first two weeks.
The Data Protection Commission's expectations around access control include the obligation to implement appropriate technical measures to protect personal data — and MFA is the minimum standard for any system holding personal data belonging to clients or staff.[^3]
WHY IT MATTERS: The Regulatory and Business Context
An Garda Síochána's National Cyber Crime Bureau reports that business email compromise and credential theft — both directly mitigated by MFA — are among the most prevalent and costly cyber threats facing Irish businesses. The NIS2 Directive, now transposed into Irish law, explicitly requires that access control measures include multi-factor authentication for all users accessing essential and important entity systems. For businesses in scope for NIS2, enabling MFA is not just good practice — it is a legal requirement.
The CyFUN framework published by the NCSC Ireland maps directly to NIS2 requirements. CyFUN Protect level alignment requires MFA on all user accounts, phishing-resistant MFA for privileged access, and documented evidence that these controls are in place. The phased roadmap above is designed to deliver exactly this outcome.
MFA is not optional. For NIS2-regulated Irish businesses, it is a legal obligation — and for everyone else, it is the single highest-return security investment available.
WHAT NEXT: Three Actions This Week
1. Enable MFA for all Microsoft 365 users today using Security Defaults if you have not already done so. This is a single switch in the Microsoft Entra admin centre and takes five minutes to enable.
2. Review your privileged accounts. List every Global Administrator in your Microsoft 365 tenant. If there are more than four, reduce the number. Ensure every admin account has MFA enabled. Use a dedicated admin account, not your regular email account, for administrative tasks.
3. Schedule a Phase 2 rollout for the next 30 days. Identify your VPN and remote access systems. Plan the MFA enablement process, identify who will need support, and communicate the change to affected staff before it happens.
Related Reading
- MFA Bypass: How Hackers Are Defeating Multi-Factor Authentication
- Microsoft 365 Security Settings Every Irish SME Should Enable Today
- NIS2 Board Liability: Can Irish Directors Be Personally Liable?
[^1]: NCSC Ireland — advice and guidance on multi-factor authentication: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: Data Protection Commission Ireland — technical controls and access management: https://www.dataprotection.ie [^3]: An Garda Síochána — National Cyber Crime Bureau on credential theft: https://www.garda.ie/en/crime/cyber-crime/
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.