Identity Is the Front Door Now: The Enterprise Controls That Stop Attackers, Right-Sized for a Small Business

Two out of three incidents that Sophos' responders worked over the past year began the same boring way: someone logged in. Per the 2026 Sophos Active Adversary Report, 67% of the 661 cases they handled traced back to an identity weakness, and 59% of victims had no multi-factor authentication standing in the way. Brute-forcing valid credentials (15.6% of initial access) has drawn nearly level with exploiting a vulnerability (16%). The attacker did not need a zero-day. They needed a password your business already owned.

Once inside, the clock is short. Sophos measured a median of 3.4 hours from first access to the attacker reaching an Active Directory domain controller - less than half a workday from a single phished login to the keys that run your network. And the plumbing keeps producing critical bugs of its own: Microsoft's June 9 Patch Tuesday shipped fixes for 200 flaws including critical remote-code-execution in Active Directory Domain Services (CVE-2026-45648) and the Kerberos Key Distribution Center (CVE-2026-47288). You can patch every one of those and still lose the business through a login.

Why this matters to you, and who can skip it. If your staff sign in to Microsoft 365, Google Workspace, or a Windows domain, the front door to your company is the set of accounts they use - and that is almost every business reading this. Large enterprises have spent the last five years rebuilding around that fact. The honest exception: a true one-person shop with no shared systems, hardware security keys on every account, and nothing for an intruder to move into can stop here. Everyone else is in scope, because for everyone else the cheapest, fastest path in is a credential, not a CVE.

What the enterprise spends on, and what you actually need

Walk into a Fortune 500 identity program and you will find identity threat detection and response (ITDR) platforms, privileged access management (PAM) vaults, a tiered-admin forest design, and an identity team watching sign-in telemetry around the clock. The licensing alone runs roughly 3 to 15 dollars per user per month before you pay anyone to operate it. A 40-person company cannot stand that up, and the good news is that it does not have to. Most of the protection those programs buy comes from a short list of decisions, and for a small business most of those decisions are already paid for inside the Microsoft 365 or Google licenses you renew every year. The work is turning them on in the right order. What follows is the enterprise control on the left and the small-business version that gets you most of the way for little or no new spend.

1. Make every login prove itself

The enterprise version is phishing-resistant FIDO2 security keys, with Conditional Access policies that demand stronger proof when the sign-in looks risky. The small-business version starts with two switches that block the majority of credential attacks outright.

First, require MFA on every account, including the ones nobody thinks about - the shared mailbox, the contractor, the owner who hates extra steps. Second, block legacy authentication, the old protocols (IMAP, POP, SMTP AUTH, basic Exchange ActiveSync) that cannot enforce MFA at all. Microsoft's own guidance for blocking legacy authentication notes that more than 97% of credential-stuffing attacks and more than 99% of password-spray attacks ride those legacy protocols. Turn them off and you close the lane most password attacks drive down.

Where you can, move administrators and account owners to passkeys, which are free in Entra ID and remove the password from the equation. If you cannot reach phishing-resistant MFA tomorrow, CISA's phishing-resistant MFA fact sheet recommends number matching as the interim step, because it kills the push-bombing trick where an attacker spams approval prompts until a tired user taps yes.

To find the accounts still slipping through, hunt your sign-in logs for successful authentications that used a single factor or a legacy client:

// Entra ID sign-in logs: successful sign-ins that used only one
// factor, or came from a legacy authentication client.
// Run in Log Analytics / Microsoft Sentinel.
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| where AuthenticationRequirement == "singleFactorAuthentication"
    or ClientAppUsed in ("Other clients","IMAP4","POP3","SMTP","MAPI","Exchange ActiveSync")
| summarize signins = count() by UserPrincipalName, ClientAppUsed, IPAddress
| sort by signins desc

2. Stop signing in as God every day

The enterprise spends heavily here: a PAM vault that checks out privileged credentials just-in-time, a tiered-admin model that keeps domain-level accounts off ordinary workstations. The principle behind Microsoft's enterprise access model is simple enough for any business to copy without the platform: the account you use to read email and browse the web should never be the account that can rebuild the company.

For a small business that means three concrete moves. Give every administrator a separate admin-only account, and never use it for mail or browsing. Cut your standing Global Administrators down to two - one break-glass account stored offline, one for daily directory work - and run everything else on least-privileged roles, as Microsoft's secure-access guidance for administrators lays out. Where your license includes Privileged Identity Management, use it so even those roles are granted just-in-time instead of held permanently. On-prem, keep Domain Admins off the laptops people open phishing emails on, because that laptop-to-domain-controller path is exactly the 3.4-hour route Sophos measured.

Start by counting who holds the top role today. More than two is a finding, not a feature:

# List every holder of Global Administrator in Entra ID.
# Two is plenty - break-glass plus one. Anything beyond that needs a reason.
Connect-MgGraph -Scopes "RoleManagement.Read.Directory","Directory.Read.All"
$role = Get-MgDirectoryRole -Filter "displayName eq 'Global Administrator'"
Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id |
  ForEach-Object { (Get-MgUser -UserId $_.Id).UserPrincipalName }

3. Watch the logins you cannot afford to miss

The enterprise answer is an ITDR platform feeding a 24/7 team that baselines normal behavior and alerts on the anomalies. A small business will not staff that, and does not need to in order to catch the three signals that precede most account takeovers: a risky or impossible-travel sign-in, a new OAuth app consent, and a new inbox-forwarding rule. Those three are the early warning for business email compromise. An attacker who lands in a mailbox almost always sets a rule that auto-forwards or hides invoice replies so they can run a payment-redirection scam without the real owner noticing, and they grant a malicious app consent so they keep access after the password is reset. Both actions are recorded in logs you already generate, if you keep them long enough to read.

The catch is retention. The unified audit log is not always on in older tenants, and on non-E5 licensing it keeps records for a limited window. Sophos found that cases with missing logs roughly doubled year over year, with some firewall defaults holding as little as 24 hours of history - so the evidence an investigator needs is often deleted before anyone goes looking. Turn the audit log on, set retention deliberately, and review this query weekly:

# BEC early warning: new mail-forwarding rules and new app consents, last 7 days.
# Requires the unified audit log to be enabled (off by default on older tenants).
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) `
  -Operations "New-InboxRule","Set-InboxRule","Consent to application" |
  Select-Object CreationDate, UserIds, Operations |
  Sort-Object CreationDate -Descending

4. Close the on-prem path from a laptop to the domain controller

If you still run on-premises Active Directory, this is where the 3.4-hour number gets earned. The enterprise pays for continuous AD assessment and a red team to find the path before an attacker does. A small business can close most of it with settings rather than software. Disable LLMNR and NBT-NS so a poisoned name-resolution request cannot harvest a hash. Require SMB signing so a captured login cannot be relayed onto another machine. Hunt down and remove unconstrained delegation, which lets one compromised server impersonate any user that touches it. And patch domain controllers promptly - this month's CVE-2026-45648 and CVE-2026-47288 are precisely the kind of DC-side bug that turns a stolen low-privilege account into full control.

Unconstrained delegation is the one most teams forget they have. There should be almost none, and never on a member server somebody stood up and walked away from:

# On-prem AD: accounts trusted for unconstrained delegation are a direct
# path from a relayed or coerced login to domain compromise. Audit and remove.
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation |
  Select-Object Name, DistinguishedName
Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation |
  Select-Object Name, DistinguishedName

None of these four areas requires a new product line in the budget. They require a directory you already pay for, a few hours of focused work, and the discipline to do them in an order that matches how attackers actually move.

Close the identity gaps in the order attackers use them

If you do one thing this week, require MFA everywhere and block legacy authentication - that single afternoon takes the most common attack off the table. Next, split the admin accounts and cut the Global Administrator count to two. Then turn on the audit log and put the weekly fifteen-minute review on someone's calendar. The on-prem AD settings come last only because fewer small businesses still run their own domain controllers, not because they matter less. On Red Hound engagements, the companies that get breached almost never lacked the budget for a tool; they lacked the boring half-day it takes to switch on what they already own. That half-day is the cheapest security project you will run all year, and it sits squarely on the path attackers take into businesses your size.