The most valuable target for any attacker is an administrator account. With admin privileges, they don't need to exploit complex vulnerabilities; they simply log in and use the built-in tools to extract data, create backdoors, or deploy ransomware.
Despite this, a staggering number of administrative accounts across organizations lack Multi-Factor Authentication (MFA).
The Path of Least Resistance
Why do admins end up without MFA? It usually comes down to friction.
- Service Accounts: Teams create accounts for automated scripts and integrations. These accounts can't easily handle MFA prompts, so they are exempted.
- Legacy Accounts: Early accounts created before MFA policies were enforced might slip through the cracks.
- "Temporary" Access: An admin temporarily disables their MFA to troubleshoot an issue and forgets to turn it back on.
The Blast Radius
When an attacker compromises a standard user, the blast radius is limited to what that user can access. When they compromise an admin, the blast radius is the entire application, and often, the entire company.
If that application is a CRM like HubSpot, they have your entire customer list. If it is GitHub, they have your source code and potentially your deployment keys.
Enforcing the Baseline
You cannot protect what you cannot see. The first step is gaining visibility into every administrator account across your entire SaaS portfolio and verifying their MFA status.
If you want to understand why MFA coverage is no longer a best practice but a hard requirement, read MFA is not optional anymore. For a broader picture of access risks affecting your SaaS stack, start there before planning remediation.
Kastrum continuously monitors your connected tools and immediately flags any user with administrative privileges who does not have MFA enabled, allowing you to close the gap before it is exploited. See how Kastrum works.