TL;DR

Most Australian businesses can materially reduce account takeover risk in one week by enforcing phishing-resistant MFA, consolidating authentication through SSO, cleaning IAM permissions, and implementing practical zero-trust identity checks. Start with hardware-backed authentication (YubiKey/FIDO2/WebAuthn), then fix directory policy, remove dormant users, and lock down admin accounts before moving to broader zero-trust controls.

If you can only do three things this week, do: deploy MFA for everyone (with phishing-resistant options), enforce SSO for cloud apps, and run a dormant account audit. Done right, these changes reduce your largest attack path while staying within realistic SMB costs and without replacing all systems.

Why this matters now for Australian business owners

Identity is still the highest-value target for attackers, especially through phishing, password stuffing, credential reuse, and stolen cookie/session reuse. In practical terms, many breach investigations in Australia show that weak authentication and forgotten accounts are often the first entry point.

This week’s goal is not a complete security transformation. It is a controlled identity hardening sprint based on standards you can operationalise quickly: NIST SP 800-63-3 (digital identity assurance), ACSC Essential Eight MFA expectations, and CIS Controls v8 identity management controls. In plain language, this means: prove who a user is, reduce the number of privileged paths, and remove unnecessary access fast.

1) Week-by-week implementation plan: from risk to control (day-by-day)

If you have under 100 staff, this is realistic in five working days.

Day 1: baseline and owners

  1. Assign one security owner (or your consultant/IT lead) and one backup.
  2. Export user directory list and sign-in activity.
  3. Publish a short user notice: “MFA and SSO changes are mandatory from [date]”.
  4. Define role tiers: admin, finance, standard users, contractors/temporary.

Day 2: MFA policy change (minimum viable hardening)

  1. Turn on MFA enforcement for all accounts.
  2. For admins and finance roles, require phishing-resistant factors only (FIDO2/WebAuthn security keys, YubiKey, Windows Hello for Business, or other passkey-capable methods where available).
  3. Keep app-based OTP as backup only for approved exceptions.

Day 3: SSO rollout

  1. Enable SSO for core productivity and productivity-adjacent services (email, file sharing, CRM, ticketing).
  2. Start with a pilot group for break/fix issues.
  3. Remove direct password login where SSO is already fully supported.

Day 4: IAM cleanup

  1. Disable dormant accounts immediately (or move to “quarantine” state first).
  2. Remove unused global admin and legacy roles.
  3. Standardise role groups so permissions are by job role, not individual ad-hoc grants.
  4. Check service accounts: convert shared credentials to managed service identities where possible.

Day 5: policy lock and validation

  1. Enforce stronger password rules where passwords still exist.
  2. Enable sign-in risk signals and conditional access checks.
  3. Run a quick verification sweep and user comms to avoid lockout-related helpdesk spikes.
  4. Record a change log and schedule weekly checks.

This order is intentional: you reduce exposure first before layering new complexity.

2) Enforce phishing-resistant MFA this week (not just “MFA enabled”)

What to enable now

  • Microsoft Entra ID users: set global MFA policies and stronger defaults; enforce FIDO2 or certificate-based authentication for privileged roles where possible.
  • Okta environments: use MFA policy to block password-only sign-ins and enforce phishing-resistant authenticator factors for remote/admin users.
  • Google Workspace SSO users: enforce 2-Step Verification with strong second-factor options and conditional enforcement by risk signals.
  • Self-hosted/heterogeneous stacks: deploy Authentik as a lightweight SSO/IdP gateway where native provider support is weak.

Why “password + app code” is not enough

Password+TOTP is better than nothing, but modern phishing campaigns increasingly abuse real-time relay and token relay. Phishing-resistant MFA (security keys/passkeys/FIDO2) is designed to prevent credentials being harvested and replayed. That is the point of NIST’s stronger assurance guidance and ACSC’s identity control focus.

Hardware MFA in practice

  • Issue one YubiKey per privileged user first (CFO, owners, admins, finance approvers), then phase others.
  • For shared workstations, keep one backup key per team.
  • Keep a documented break-glass process: secure vaulted backup codes + emergency contact chain.

Cost reality for SMBs

A practical budget envelope is $5–$10 per user per month when using mainstream stacks:

  • If you already subscribe to Microsoft 365 or Google Workspace, identity platform costs are often partly included.
  • Add-ons are usually where SMB costs rise: stronger MFA licensing tiers, password manager enterprise features, and YubiKey hardware.
  • A realistic pilot can start low by using lower-cost or existing platform features and expanding over 30–60 days.

3) Deploy SSO with low friction: Microsoft Entra ID, Okta, Google Workspace, Authentik

SSO is not just convenience; it is control. If identities are centralised, you control session policies, risk checks, and revocation in one place.

  • Microsoft Entra ID (for Microsoft ecosystems): best for teams already on Azure/365. Use one identity core, then app registrations for SaaS where needed.
  • Okta (mixed environments): good when you already have many SaaS apps and need strong lifecycle integration.
  • Google Workspace SSO: excellent if Gmail/Drive/Workspace are core and you want straightforward setup for productivity apps.
  • Authentik (self-hosted): best for SMBs with a mix of self-hosted apps and a wish to avoid SaaS lock-in.

Quick decision guide (this week)

If most staff already live in one ecosystem, extend that platform’s native SSO and identity policies first. Avoid introducing too many IdPs at once—this delays rollout and increases failure modes. In week one, aim for 1–2 major providers max.

Practical controls you should set now

  • SSO required for email, CRM, file storage, and cloud admin portals.
  • Disable legacy protocols where possible (legacy IMAP/POP, basic auth variants).
  • Force re-auth on high-risk actions (payments, admin changes, role elevation).
  • Add auto-logout limits for unattended devices (browser inactivity policy + session timeout).

4) IAM cleanup and zero-trust identity posture (the boring work that pays off)

Zero trust identity is simple in principle: never trust by default, verify continuously. For SMBs, that usually means tighter role design and fast revocation.

IAM hygiene checklist (same week)

  • Inventory all users, including contractors and temporary accounts.
  • Remove “super-admin” style roles from generic roles.
  • Apply least privilege by default: no one needs more than their job requires.
  • Review API/service tokens and rotate any that were manually shared.
  • Separate duties between procurement, approval, and payment where systems allow.

Dormant account process

Use sign-in logs for a 30/60/90-day inactive policy:

  • 30 days: flag
  • 60 days: disable
  • 90 days: delete or permanently archive, per policy

For SMB operations, this alone catches many hidden risks (former staff, contractors, and unused service profiles). Keep evidence of every disable/delete for audit and HR exit alignment.

Move toward zero trust identity

  • Verify device trust before granting sensitive access.
  • Add location and risk-based conditions in policy (if your platform supports it).
  • Require session refresh for sensitive apps after a change in risk posture.
  • Treat identity as mutable: if role changes, so do access rights immediately.

5) Password policy enforcement that people actually follow

Passwords are not dead—but they need to be bounded by better systems.

Use password managers like 1Password or Bitwarden to remove “reuse + sticky notes” problems.

  • Enforce minimum length and complexity appropriate to risk.
  • Prevent common/password-breathing-list usage (block breached-password patterns).
  • Enforce unique credentials per service for non-MFA accounts (if any remain).
  • For admins and finance systems, require MFA and periodic re-authentication.
  • Store break-glass credentials in a controlled vault with auditing.

This is where security and operations teams often clash. Prevent it by making it “easy security”: install browser integrations, define a manager onboarding guide, and set a two-week deadline.

Quick-win checklist: phishing-resistant MFA + dormant-account audit

Use this as your this-week operations checklist.

  • Enforced MFA for all users in Entra ID/Okta/Workspace/Authentik
  • Phishing-resistant MFA (FIDO2/YubiKey/passkeys) mandatory for privileged/admin roles
  • 1Password or Bitwarden rollout for all staff with MFA on the vault
  • SSO enabled for core business apps and enforced where possible
  • Exported user list and last-sign-in dates
  • Disabled accounts inactive for 30+ days
  • Removed unused global admin roles and shared account access
  • Added conditional access/session controls for finance and admin portals
  • Documented emergency MFA recovery and offboarding process
  • Reviewed and communicated policy updates with support team

FAQ

No. Start with the highest-risk business apps first: email, cloud storage, CRM, payroll, and remote access. SaaS apps without SSO support can keep password auth temporarily, but isolate them with stronger MFA and strict account review.

Not usually. For many SMBs, the cost lands close to the $5–$10/user/month target when using existing identity platform licensing plus low-cost hardware-backed factors and shared enterprise password manager seats. You can phase hardware keys first for admins and expand later.

Yes, if you stage rollout and use pilot cohorts. Pilot 10–20% of users, document exceptions, then expand in waves. Provide a short self-service setup guide and a dedicated support lane for onboarding week.

Use the same rules with practical exceptions. Contractors should get time-bound access, dedicated groups, and immediate deactivation at contract end. Legacy systems can be fronted through SSO where possible or put behind stricter network segmentation as a transition step.

Conclusion

Identity security is usually the first place where SMBs can get meaningful risk reduction in under a week. A practical pattern is: enforce phishing-resistant MFA, deploy SSO centrally, clean up IAM roles and dormant accounts, then embed zero-trust identity checks into daily operations. You do not need a perfect architecture first; you need to reduce easy attacker pathways with high confidence controls and measurable weekly review.

Your next step is simple: choose your identity platform for week one, set a freeze date for access policy exceptions, and run the quick-win checklist above. Visit consult.lil.business for a free cybersecurity assessment.

References

  1. NIST SP 800-63-3 Digital Identity Guidelines
  2. Australian Cyber Security Centre (ACSC) Essential Eight
  3. CIS Controls v8
  4. Microsoft Entra ID authentication and identity protection guidance
  5. Google Workspace SSO documentation

Verifier warning: verifier could not run (PluginLlmTrustError).

[3/3] Check the requested draft requirements a (11.85s) [1/3] Write a production-ready Markdown blog p (11.95s) [2/3] Independently verify and provide 3-6 rep (12.62s)

TL;DR

  • There's a trick that lets bad actors hide dangerous commands inside normal-looking Windows shortcut files — and 11 government-backed hacking groups have been using it since 2017 [1].
  • Microsoft knows about it but won't fix it [2].
  • You can protect yourself by controlling what files enter your network and what they're allowed to do.

The Simple Explanation

Imagine your desktop shortcuts are labelled doors. You trust the labels and walk through without thinking. Now imagine someone taped a secret instruction to the back of a door — hidden behind pages of blank paper — saying "quietly unlock the back window" [1].

That's this vulnerability. Attackers create shortcut files (.lnk files) containing hidden commands padded with megabytes of invisible space. Windows only shows the normal label. When you double-click, it runs everything — including the secret part [1] [3].

Trend Micro found nearly 1,000 booby-trapped shortcuts used by hacking groups from North Korea, Russia, China, and Iran [5] [6]. Microsoft says it doesn't qualify for a fix [2].

What You Can Do About It

You don't need to wait for Microsoft. Add your own locks:

  1. Block .lnk files in email. Nobody outside your company needs to send you shortcut files [7].
  2. Use application controls. Only approved programs should run — like a guest list for your house [7] [8].
  3. Watch for oversized shortcut files. Normal shortcuts are a few KB; weaponized ones are megabytes [1].
  4. Use EDR software. It reads hidden commands Windows won't show you and stops them before they run [10].

FAQ

No — you must double-click it for the hidden command to run. Train your team to pause before opening unexpected files [3].

They consider it a display issue, not a security boundary break [2]. That's why layering your own defenses matters.

Big targets come first, but attackers reuse successful techniques on smaller ones. Building good habits now keeps you ahead [5] [10].

References

[1] Trend Micro Zero Day Initiative, "ZDI-CAN-25373: Windows .lnk File Zero-Day," Trend Micro, Mar. 2026.

[2] Microsoft Security Response Center, "MSRC Case Tracking," Microsoft, Mar. 2026.

[3] MITRE, "ATT&CK Technique T1204.002: User Execution: Malicious File," MITRE ATT&CK, 2025.

[4] CISA, "Known Exploited Vulnerabilities Catalog," CISA.gov, 2026.

[5] Trend Micro, "Water Hydra APT Group Exploits Windows Shortcut Vulnerability," Trend Micro Research, Mar. 2026.

[6] Mandiant, "APT Trends Report Q1 2026," Google Cloud Security, 2026.

[7] ASD Australian Signals Directorate, "Essential Eight Maturity Model," Australian Government, 2025.

[8] NIST, "NIST Cybersecurity Framework 2.0," NIST, 2024.

[9] Kaspersky, "APT Trends Report Q1 2026," Kaspersky Global Research, 2026.

[10] CrowdStrike, "2026 Global Threat Report," CrowdStrike, Feb. 2026.


Want help making sure your business has the right locks on every door — not just the ones your vendors choose to fix? Let's talk.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation