Why SMEs are uniquely exposed
SMEs often have the perfect storm:
* Shared admin access “temporarily” that becomes permanent.
* Outsourced IT with informal identity change requests.
* Finance workflows that still rely on email trust and speed.
* Busy staff who see security prompts as interruptions.
Add in your note that leaked credentials are the initial attack vector in 22% of confirmed breaches, and it becomes clear why IAM needs a reset. A stolen password is not a rare event; it is a routine input to criminal business models.
Actionable guidance: SME IAM steps that rebuild trust without big spend
This is a practical, prioritised approach that works for most small businesses using common cloud tools.
1) Protect the accounts that can hurt you most
Start with:
1. Email admins and global admins
2. Finance users and payment approvers
3. Remote access and IT support tool
4. Anyone who can reset passwords or MFA
2) Upgrade MFA from “checkbox” to “resistant to pressure”
* Prefer authenticator app methods over SMS where possible.
* Turn on settings that reduce accidental approvals, such as number matching.
* For directors and finance, consider stronger factors if available, rather than the easiest option.
3) Fix MFA reset and identity proofing, because that is the real back door
Write down a simple rule: no MFA reset on the basis of an email request alone. Use a second channel and a known-good contact method. If you outsource IT, make this part of your support agreement.
4) Reduce the blast radius with least privilege
* Remove shared admin accounts. Use named admin accounts and keep them separate from day-to-day email.
* Limit who can change mailbox rules, add new users, or approve new devices.
5) Treat customer trust as an IAM outcome
Your notes include a powerful commercial point: 66% of consumers say they trust a company more if it requires MFA. Done well, MFA is not friction for its own sake. It signals that you take customer data and account security seriously.
Authority and evidence
The data points in your notes tell a consistent story: password-only access is outdated, credential leakage is industrialised, and attacker behaviour has shifted to “log in, do damage fast”. If your business runs on cloud accounts, IAM is not an IT detail. It is core operational risk management.
This week, pick your top two systems (usually email and finance) and implement a “trust rebuild” sprint: enforce MFA for every user, lock down reset processes, and remove shared admin access.
