A 2025 review of breached Nigerian SMEs found a remarkably consistent pattern. Email had multi-factor authentication. The accounting system did not. Neither did the customer database, the cloud admin console, the CRM, the file storage, or the version control system. The attackers walked through every one of them using credentials that did not need a second factor.
MFA on email is the start of the conversation, not the end.
Where MFA is critical and often missing
- Cloud provider consoles (AWS, Google Cloud, Azure) for any account with billing, IAM, or admin access.
- Domain registrar accounts. A compromise here lets attackers redirect your traffic and email.
- Accounting systems (Sage, QuickBooks, Xero). Direct access to invoices, payment runs, and banking integrations.
- CRM platforms. Customer data, contracts, pipeline value.
- Version control (GitHub, GitLab, Bitbucket). Source code, secrets, deployment keys.
- File storage (Google Drive, OneDrive, Dropbox). Often holds the data nobody remembers is there.
- Communications (Slack, Microsoft Teams). Sensitive internal threads and tokens that grant integration access.
- HR systems. Employee personal data, salary information, banking details.
- Payment processors (Paystack, Flutterwave) and bank portals. Direct financial loss potential.
- SSO providers themselves (Okta, Google Workspace, Microsoft 365). A compromise here cascades across everything.
- Domain DNS providers. Less often a target, catastrophic when one.
- Password manager itself. The vault holding the rest must be the most strongly protected of all.
Not all MFA is equal
SMS-based MFA is better than nothing but is vulnerable to SIM-swap attacks, which are increasingly common in Nigeria. Where the system supports it, prefer authenticator apps (Google Authenticator, Authy) or, for the most sensitive accounts, hardware security keys (YubiKey, Google Titan). Hardware keys are particularly worth the cost for cloud admin consoles, domain registrars, and password manager master accounts.
A weekend project worth doing
Block out one Saturday morning. Open every system on the list above. Verify MFA is enabled for every active account. Where it is not, enable it. Where authenticator-app MFA is offered, switch from SMS. Where hardware keys are an option for admin accounts, order them.
You will close a class of risk that no firewall, no audit, and no awareness training will close as cheaply. Then update your onboarding checklist so the next new hire does not undo your work in week two.