There’s a question I get asked more than almost any other when I’m talking to business owners: “We’ve got strong passwords and we use a password manager — we’re pretty safe, right?”

It’s a fair assumption. Password managers are genuinely good tools and a huge step up from sticky notes or reusing the same password across ten different logins. But in 2026, they’re table stakes — not a finish line.

The reason is simple: the biggest threat to your business right now isn’t someone cracking your password. It’s someone using a perfectly valid one.

The credential problem

More breaches today start with stolen or phished credentials than with any kind of technical exploit. Attackers aren’t kicking down the door — they’re walking in with a key.

How do they get that key? Usually one of three ways: a phishing email that looks convincing enough to fool your staff, credentials leaked in a third-party data breach you had no control over, or a login that was set up for a contractor six months ago and never turned off when they left.

In 2026, cyber incidents cost SMBs an average of $120,000 to $1.24 million per attack. The most common entry point isn’t a zero-day exploit or nation-state hacker — it’s a compromised login that nobody noticed.

Identity is the new perimeter

For a long time, cybersecurity thinking was about perimeters — keep the bad stuff out of your network, and you’re fine. That model doesn’t hold anymore. Your data lives in Microsoft 365, in cloud apps, in systems your staff access from their home laptops and phones. There’s no wall to hide behind.

What replaces the perimeter is identity. The question your security posture needs to answer isn’t just “is this person inside our network?” — it’s “is this actually who they say they are, and should they have access to this right now?”

That shift changes what you need to invest in.

What actually moves the needle

The good news is that identity security doesn’t have to be complicated or expensive, especially for SMBs. A handful of fundamentals will handle the vast majority of your risk:

Multi-factor authentication (MFA) — and not just any MFA. SMS codes are better than nothing, but an authenticator app or hardware key is meaningfully harder to bypass. If you’re on Microsoft 365, enabling phishing-resistant MFA for all accounts is one of the highest-return actions you can take right now.

Conditional access — this means your systems only grant access when certain conditions are met: a trusted device, a known location, a user account that’s actually still active. It sounds technical, but modern platforms make it manageable without a large IT team.

Fast, reliable offboarding — when a staff member leaves or a contractor’s engagement ends, their access needs to go with them. Immediately. Not “when someone remembers.” This is one of the most commonly overlooked risks in small and mid-sized businesses, and one of the easiest to fix with the right processes in place.

Regular access reviews — who actually needs access to what? Over time, permissions accumulate. That admin account from a past IT project, the shared login that “everyone uses” — these are risks sitting quietly in your environment. A quarterly review doesn’t take long and can uncover more than you’d expect.

The bigger picture

Identity security isn’t a one-time fix — it’s an ongoing discipline. But it’s also one of the areas where investing early pays off the most. Insurance premiums are increasingly tied to the maturity of your identity controls. And beyond insurance, customers and partners are starting to ask harder questions about how you manage access to shared data and systems.

The businesses that get ahead of this aren’t necessarily the ones spending the most on security tools. They’re the ones treating access management as a core business habit — planned, reviewed, and maintained consistently.

If you’re not sure where your organisation stands, that’s usually the right place to start.

Cyberfy works with businesses on practical, no-nonsense cybersecurity. If you’d like a plain-English conversation about where your identity security stands, get in touch.