Here’s a Simple Safety Measure Most Hackers Hate—and Businesses Ignore

Here’s a Simple Safety Measure Most Hackers Hate—and Businesses Ignore

What’s the fastest ticket to a $21.5 TRILLION civil penalty and a grilling from the OAIC?

Easy. Just ignore Multi-Factor Authentication (MFA), step aside, and wait for the meltdown to happen.

That’s exactly the disastrous move that Medibank, Australia’s leading private health insurer, made. Their failure to use MFA led to a massive data breach, exposing the sensitive information of 9.7 million people. Hackers stole 520GB of data—names, birthdates, Medicare numbers, contact details, even health records—all in a calculated ransomware attack.

The OAIC slammed Medibank for neglecting basic security measures. Hackers easily slipped into their VPN because the company skipped the MFA. Instead, they settled for a flimsy username, password, and device certificate combo. That’s like leaving your front door wide open and wondering how a thief walked in your front door.

Don’t repeat their mistake. MFA isn’t optional. Lock your digital doors before hackers walk in.

What Is MFA and How Does It Work?

MFA adds powerful layers of protection to your accounts by asking for more than just a password to verify your identity. Imagine you're entering your house. The first lock is your key (your password), which keeps most people out. But if someone manages to copy your key, they could still get in.

Now, add a second (or even third) lock that requires a unique code sent to your phone and perhaps throw in a fingerprint authentication just for the fun of it. Even if someone has your key, they can't get through the second lock (or third lock) without access to your phone (and fingers). This additional layer of security makes it much harder for intruders to break in!

 

Types of MFA “Proofs”

MFA typically combines two or more of these:

  1. Something You Know – Like your password, PIN, or an answer to a security question.

  2. Something You Have – Your smartphone (to receive a code or app notification), security token, or a key card.

  3. Something You Are – Biometrics such as fingerprints, facial recognition, or voice detection.

  4. Somewhere You Are – GPS location or your IP address.

  5. Something You Do – Behavioural patterns such as how you type or move your mouse.

For example, you might log in with your password (something you know) and then input a code sent to your phone (something you have). Without both pieces, access is denied.

 

Common MFA Combinations

  • Password + SMS Code – Enter your password, then confirm with a code sent to your phone.

  • Fingerprint + Security Token – Use your fingerprint and a physical key.

  • Facial Recognition + GPS Location – Verify your face and confirm you’re in a trusted location.

These extra barriers mean even if hackers guess one method, they’re stopped by the others.

 

Why MFA Is the Secret Sauce to Staying Secure

MFA isn’t just a fancy feature—it works. Take Google’s 2019 study, for example:

  • SMS-based MFA blocked 100% of automated attacks.

  • It stopped 96% of phishing attempts.

  • And it even thwarted 76% of targeted attacks.

Not bad, right? But here’s the kicker—not all MFA are effective in protecting you.

 

Not All MFAs Are Equal

Microsoft reports that MFA methods make a big difference. For example:

  • SMS codes are 40.8% less effective than app-based options like DUO by Cisco or Microsoft Authenticator.

Upgraded MFA methods such as on-device prompts give you ironclad security, stopping:

  • 100% of automated bots

  • 99% of bulk phishing attacks

  • 90% of targeted hacks

If your business still leans on outdated systems like SMS codes, you’re leaving the door wide open. Upgrade to advanced options like authenticator apps or security keys for peace of mind. 

Here’s a handy chart from Google to show you how different authentication methods stack up. Choose wisely.

The Limitations of MFA—and How to Overcome Them

MFA isn’t perfect (nothing is). Here’s where it can cause problems—and how you can fix them: 

1. It’s a Pain for Users

People often complain MFA is inconvenient or slows them down.
Solution: Use easy options like push notifications or biometrics, and educate users about why it’s worth it.

2. It Costs Money

Small businesses might think MFA is too expensive to implement.
Solution: Roll it out in phases. Paying for security now is much cheaper than dealing with a breach later.

3. It’s Tricky to Manage

Handling multiple MFA methods can overwhelm non-IT administrators.
Solution: Streamline with automation tools that simplify MFA processes or outsource to a service provider.

4. Hackers Can Still Find Loopholes

Older MFA methods like SMS codes are vulnerable to attacks, such as SIM-swapping or phishing.
Solution: Use phishing-resistant options like passkeys and hardware security keys, which are much harder to bypass.

5. Backup Codes Are a Target

Scammers can aim for recovery methods, like backup codes.
Solution: Secure backup processes and train staff on keeping them safe.

 

6. Not Everyone Can Use MFA

Some individuals struggle with certain MFA methods due to device limitations or disabilities.
Solution: Offer a variety of options to include people with special needs.

 

The Future of MFA

MFA is constantly evolving to keep up with growing threats. Two major trends on the horizon include:

  • Passwordless Authentication – Tools like passkeys eliminate passwords altogether, relying on biometrics or hardware instead.

  • Behavioural Biometrics – Systems that learn your typing speed or mouse movements to identify you.

Governments, too, are upping their security game. Australia’s Essential Eight cybersecurity framework prioritises advanced, phishing-resistant MFA as a standard.

 

Why Your Business Needs MFA Now

Cyber threats are multiplying, and ignoring MFA is like leaving the front door wide open for attackers. The cost of implementing MFA today is pennies compared to the damage a data breach could cause later.

Here’s What You Can Do Right Now:

  1. Review your current login systems.

  2. Invest in robust MFA solutions—consider hardware keys or secure app-based notifications.

  3. Educate your employees to adopt these methods seamlessly.

ALERT! Scammers are always hunting for authentication codes, and they’ll stop at NOTHING to get it. These crooks are crafty—masquerading as your phone company’s support team or even your bank’s manager.

But here’s the deal: No legit company will EVER ask for your code. Stay sharp, stay safe, and NEVER give it away!

 

Wrapping It Up

Medibank’s breach changed everything. It highlighted just how catastrophic it can be to rely on weak authentication methods.

The good news is that MFA is your frontline defence. It creates an automatic “no entry” sign for intruders. While it’s not flaw-free, advanced tools like phishing-resistant MFA make a world of difference.

Don’t wait until it’s too late—protect your company, your accounts, and your customers today. You can learn more advanced techniques to secure your business by downloading our ebook for free.

ABOUT THE AUTHOR: JARROD RAMSAY

Jarrod’s entrepreneurial journey began at 19, reselling telco services for brands like Telstra, Vodafone and Vocus. Realising he wanted more, he sold his business and dove into Managed IT Services, launched a telco division and built a public cloud platform.

These bold moves weren't just about competition; they're about creating better solutions for his clients.

Today, Jarrod thrives on collaborating with business owners, sharing ideas, and tackling challenges with creative strategies. Whether you're an entrepreneur, a business owner, or an employee responsible for the ICT services at your business, feel free to reach out—he'd love to connect.