In this series of articles, we’re going to dive into the details of each of OpenCASE’s 11 priorities, explaining the thinking behind them, and exploring the motivations for each Implementation Level.

So without further ado, let’s talk about…

Priority 1 - Protect your user accounts.

The first, and most obvious question to ask about Priority 1 is “Why is protecting user accounts priority 1?” What makes protecting user accounts so important - more important than protecting your people, or anything else?

Simply put, it’s because user accounts are the most common way that organisations get compromised by cyber-criminals. According to the 2025 Verizon DBIR, compromised credentials are still the most common cause of breaches for both large and small organisations - even in the face of a recent spike in vulnerability exploitation against VPN appliances commonly used by larger enterprises.

In small enterprise, where the workforce is distributed and all IT resources are in the cloud, user accounts are the new perimeter of the IT environment. This is a blessing for cyber-criminals, who can cheaply acquire stolen credentials on the dark web, or use tried and tested techniques like phishing and password spraying to break into email accounts and online web applications. With the prevalence of “Bring Your Own Device” in small organisations, the risk that company passwords could be stolen from a compromised personal device is also a huge concern.

So if you’re only going to do ONE THING to improve the cybersecurity of your small enterprise - Protect your user accounts!

Implementation Level 1: Enforce multi-factor authentication for primary user accounts.

It should come as no surprise that the first step in protecting user accounts is to enforce multi-factor authentication. While it’s not bullet-proof, it’s the strongest and most effective defense a small enterprise has at its disposal. It’s also basically free - being a function that’s built into your online platforms and doesn’t require any additional tools.

At Implementation Level 1, we’re specifically targeting primary user accounts - think email, chat, file sharing, etc. Practically speaking, it’s likely to be Microsoft 365 or Google Workspace. This is the most critical IT platform for a small business to protect because it’s likely to be where the most sensitive data is. It’s also what fraudsters will use to try things like Business Email Compromise and invoice fraud.

Implementation Level 2: Don’t use weak multi-factor authentication methods.

Not all MFA methods are created equal. While any MFA is better than none, some methods are much easier for a cyber-criminals to intercept or exploit than others.

Email is not safe as its possible that the MFA code could be intercepted - and if your email account is compromised then so are your MFA codes. SMS text messages and automated voice calls are marginally better than email, but still open to abuse by cyber-criminals. The protocols which underpin “modern” phone technology are sadly full of well known vulnerabilities and commonly exploited by cyber-criminals. In addition, the rapid rise of SIM-swapping and number-porting attacks shows that even if the protocols were secure, cyber-criminals can still exploit weak processes at phone companies (or just overly “helpful” staff).

Ideally, you should rely only MFA methods which use more modern technology, such as mobile app based number matching, hardware tokens such as Yubikey, or biometrics. Even the old app based one-time codes are still pretty good.

Implementation Level 3: Use single sign on or multi-factor authentication with all cloud applications.

Single sign-on is a game changer for small enterprise. We all know that users hate having to sign into things all the time, not to mention the difficulties in getting them to use different, complex passwords for everything. All of these problems go away if your users can access their cloud applications with the same account they use for their email.

Fortunately, both Microsoft and Google provide the mechanisms to facilitate SSO with their platform out of the box. It does require modest technical skill to set it up, but it’s well worth the effort, both in terms of risk reduction, and how much your users will love it.

Unfortunately, many cloud applications are stingy with SSO, and only offer it to customers who buy their most expensive plans. This is understandably a deal breaker for almost any small organisation. In these situations, the recommendation is to extend your use of MFA from just primary user accounts to all your cloud applications. Yes, the user experience is crap and your users will probably hate it, but at a certain point of maturity, a business needs to accept that protecting its information and its reputation is worth a little user inconvenience.

Conclusion

I hope after reading this you have a better understanding of OpenCASE Priority 1, and a greater appreciation for why I decided to make protecting user accounts the most important thing.

Stay tuned over the coming weeks for more articles in this series covering each of OpenCASE’s priorities.