What Is Multi-Factor Authentication (MFA) and Why Does My Business Need It?
A clear, direct answer to this question — written for UK business owners and IT decision-makers.
Direct Answer
Multi-factor authentication (MFA) requires users to verify their identity using two or more factors: something they know (password), something they have (phone app or token), or something they are (biometric). MFA prevents over 99.9% of account compromise attempts — yet only 40% of UK businesses have it enabled. Every business should enforce MFA on all accounts, especially email, cloud services, and remote access. It is required by Cyber Essentials and most cyber insurers.
Key Points
What you need to know.
The Short Answer
A concise overview of what you need to know.
For UK Businesses
How this applies specifically in the UK context.
Cost Considerations
What to expect in terms of investment and ongoing costs.
Next Steps
What you should do with this information.
Quick Comparison
| Feature | Option A | Option B |
|---|
Frequently Asked Questions
Yes. Microsoft explicitly states they are not responsible for data backup. Microsoft provides only limited short-term retention (14-93 days). 87% of IT professionals reported experiencing SaaS data loss in 2024. Only 15% of organisations were able to fully recover all their data after a loss incident.
Microsoft Defender's online detection rate is 88.6% — significantly lower than top-tier products at 97-99%. Defender provides adequate baseline protection but independent testing shows detection gaps. For businesses with higher risk profiles, layered security with third-party MDR is recommended.
Business Premium (£16.90/user/month) includes Defender for Business, Intune device management, Entra ID P1 for conditional access, and Purview DLP — none of which are available in Standard (£9.60/user/month). For businesses with security concerns, Premium is the recommended tier.
Yes. 50% of small businesses (10-49 employees) reported a cybersecurity breach in 2025. UK small businesses face around 65,000 hack attempts daily, with approximately 4,500 successful breaches. More than a quarter of SMBs say a single cyber attack could put them out of business entirely.
The average cost of the most disruptive breach is £3,550 for UK businesses. For businesses that experienced negative outcomes such as data loss or financial theft, the average cost rises to £8,260. Medium and large businesses face average costs of £10,830 per disruptive incident.
Need More Detail?
Speak to an AMVIA expert for advice tailored to your business.
Related Questions
Microsoft 365 Security
MFA is enforced via Conditional Access in Microsoft 365 — AMVIA configures and manages this as part of the managed M365 service.
Cyber Essentials Certification
MFA is a core requirement of Cyber Essentials — get certified and demonstrate your security posture.
Cybersecurity Guide for UK SMEs
MFA is the single most impactful security control — learn how it fits within a broader programme.