The MFA illusion
MFA is table stakes. It protects exactly one attack vector: stolen or guessed credentials. That's important — credential stuffing and phishing are still the most common initial access techniques — but it's one vector out of many. MFA does nothing for unmanaged devices connecting to your systems. Nothing for missing backups when ransomware hits. Nothing for the absence of logging that means you won't detect a breach for months. Nothing for the former employee who still has access to your production environment.
Most SaaS companies we assess have MFA enabled and believe they're "pretty secure." When we look deeper, they're missing 4-5 of the 7 controls that actually constitute a security baseline. MFA is where security starts. It's not where it ends.
1. Identity and access management
Single sign-on across all applications — not just the ones that make it easy. Role-based access control so people only access what they need for their job. Quarterly access reviews to catch permission creep. Automated provisioning when someone joins and immediate deprovisioning when someone leaves.
The test is simple: if someone leaves your company today, how long until every single account, token, and access right is revoked? If the answer is "a few days" or "when IT gets around to it," you have an identity and access management problem. The correct answer is 24 hours or less, and it should be triggered automatically — not dependent on someone remembering to run through a checklist.
2. Endpoint protection (EDR)
Every device that touches company data needs managed endpoint detection and response. Not consumer antivirus. Not "Windows Defender is probably fine." Real EDR with behavioural detection, 24/7 monitoring by a security operations team, automated isolation of compromised endpoints, and forensic capability when something goes wrong.
The difference between antivirus and EDR is the difference between a lock on your door and a security system with cameras, motion sensors, and a response team. Antivirus catches known malware signatures. EDR catches anomalous behaviour — the attacker who's using legitimate tools in illegitimate ways, the lateral movement that signature-based detection will never see.
3. Device management (MDM)
Company devices enrolled in a mobile device management platform. Disk encryption enforced — not "recommended," enforced. Remote wipe capability for lost or stolen devices. Operating system and patch compliance monitored and alerted. A clear BYOD policy with technical controls that enforce the boundaries, not just a document that asks people to be careful.
Without MDM, you have no visibility into the security posture of the devices accessing your data. You don't know which laptops are running unpatched operating systems. You can't remotely wipe a stolen device. You can't enforce encryption. You're trusting that every employee maintains their device to a standard you've never defined and can't verify.
4. Backup and recovery
SaaS data is not automatically backed up. This is the misconception that burns companies most often. Microsoft 365 has a retention policy, not a backup. Google Workspace has a recycle bin, not a backup. Your CRM, your project management tool, your code repositories — if a user deletes data, if ransomware encrypts it, if an API integration goes haywire and corrupts records, your SaaS provider will not restore it for you.
Independent backup with tested recovery is non-negotiable. "Tested" means you've actually performed a restoration and verified the data integrity — not "we assume it works because the backup job completed." The backup that's never been tested isn't a backup. It's a hope.
5. Logging and monitoring (SIEM)
If you can't see what's happening in your environment, you can't detect incidents. The average time to detect a breach is 204 days (IBM, 2024). That's not because attackers are sophisticated. It's because most companies have no centralised logging, no alerting, and no one watching.
A SIEM (Security Information and Event Management) platform collects logs from across your environment — identity provider, email, endpoints, cloud infrastructure, applications — normalises them, correlates events, and alerts on anomalies. When someone logs in from an unusual location, when a service account behaves abnormally, when data exfiltration patterns emerge — you need to know immediately, not 7 months later during a routine audit.
6. Security policies
Not shelf documents. Not templates downloaded from the internet with your logo added. Living policies that reflect your actual environment, your actual risk profile, and your actual operational procedures. Acceptable use policy. Data classification policy. Incident response plan. Vendor management policy. Access control policy. Business continuity plan.
These policies serve three purposes: they tell your team what's expected, they provide evidence for compliance frameworks and enterprise security questionnaires, and they give you a documented process to follow when things go wrong. The company without an incident response plan doesn't respond well to incidents. The company without a vendor management policy doesn't manage vendor risk. The policy is the foundation for the practice.
7. Offboarding
The most neglected control in every environment we assess. When someone leaves — whether voluntarily or not — every account, device, access token, SSH key, API credential, and shared password must be revoked within 24 hours. Not "when IT gets to it." Not "next week." Immediately.
This means you need a complete inventory of what each person has access to (see: identity and access management). You need an automated or semi-automated process that triggers on departure. You need verification that revocation actually happened. And you need to handle the edge cases: shared accounts, service accounts that one person managed, OAuth tokens that persist after password changes.
Most breaches involving former employees don't happen because the person is malicious. They happen because the person still had access that nobody remembered to revoke, and those credentials got compromised through a separate vector. The attack surface you don't close is the one that gets exploited.
How many do you have?
Most SaaS companies we assess have 2-3 of these 7 controls in place. Usually MFA (partially — not enforced across all apps), some form of endpoint protection (consumer-grade, not managed EDR), and maybe a backup solution for one or two systems. The other 4-5 controls are absent, partially implemented, or configured but not monitored.
The 90-Day Accelerator Sprint implements all 7 in 90 days. Not as a theoretical exercise. As configured, operational, monitored, and documented controls that actually protect your company and satisfy the evidence requirements of ISO 27001, SOC 2, and enterprise security questionnaires.
"Security isn't one control done well. It's seven controls done consistently."