Blog //

Why All Organisations Should Consider Implementing Multi-Factor Authentication

In an era of increasing cyber threats, securing sensitive data is more critical than ever. Many organisations, however, mistakenly believe that only ‘data controllers’—those who dictate how personal data is processed—are bound by strict security requirements under the UK and EU GDPRs. This is far from true. Data processors, too, must comply with robust security measures, as highlighted by the Information Commissioner’s Office (ICO) recent enforcement action against major software provider Advanced Computer Software Group Ltd. (now OneAdvanced).

The Advanced Case: A Lesson in MFA Importance

Advanced, a software provider, suffered a ransomware attack when a customer account was compromised—an account that lacked multi-factor authentication (MFA). This breach led to the exfiltration of sensitive personal data, including medical records, phone numbers, and even instructions on how to access the homes of 890 individuals receiving at-home care. The ICO’s investigation pointed out the organisation’s failure to implement adequate security measures, and one of the key oversights was the absence of MFA.

The ICO listed a range of essential security measures, including:

  • Regular vulnerability checks
  • The latest system security patches
  • Multi-factor authentication

The absence of MFA was flagged as particularly negligent, and the incident illustrates that failure to implement such basic security controls can expose organisations to severe regulatory consequences. This wasn’t the first time the ICO acted against an organisation for failing to deploy MFA, but the Advanced case underscores its necessity.

The ICO’s Stance on Multi-Factor Authentication

In its May 2024 report on cyber security trends, the ICO highlighted MFA as a critical first line of defence against cyber-attacks. However, simply enabling MFA isn’t sufficient. To be truly effective, MFA must be part of a broader security strategy that includes additional safeguards to thwart sophisticated attacks.

For example, the National Cyber Security Centre (NCSC) advises organisations to implement strong identity verification during password reset procedures. This step helps prevent attackers from impersonating legitimate users and bypassing MFA protections, ensuring that even compromised credentials cannot be exploited to gain unauthorised access.

Why Every Organisation Needs Multi-Factor Authentication

MFA adds an extra layer of security by requiring users to present two or more verification methods—something they know (like a password) and something they have (like a mobile device or authentication app). It’s a simple yet powerful tool to reduce the risk of unauthorised access, even if passwords are compromised.

Beyond regulatory compliance, implementing MFA is an essential part of building a strong cyber security foundation. By deploying MFA, organisations can:

  • Prevent unauthorised access from compromised passwords
  • Mitigate the risk of phishing attacks
  • Enhance the overall security posture without substantial cost
  • Build trust with clients and partners by demonstrating commitment to data protection

Regulatory and Reputational Risks

Organisations should not forget that the ICO has the power to issue hefty fines for security breaches. Enforcement actions aren’t limited to procedural shortcomings but also include technical failures like neglecting to implement MFA. In the case of Advanced, the failure to enforce proper security controls led not only to significant data loss but also to severe reputational damage.

Take Action Now

Whether you are a data controller or a data processor, securing your systems with multi-factor authentication is a fundamental and relatively simple step. This, combined with regular vulnerability checks and the latest system patches, can go a long way toward protecting your organisation from both cyber-attacks and regulatory penalties.


Written by: Robert Wassall

Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.