Let’s drop the slogans and face the facts.
For a decade, people have preached “focus on the basics” as if saying it makes it so.
They’ve likely never tried to bring even a mid-sized organization up to those basics.
Take multi-factor authentication.
You start by identifying every app in use, only to find a swarm of shadow IT. You must understand what each app does, what data it handles, and who owns it. Then comes enrolling them all into SSO with MFA.
In sectors like healthcare, you’ll hit legacy apps that simply cannot do MFA. So you isolate them behind Zero Trust controls if the vendor even cooperates.
Then there are shared accounts, old processes, contractual dependencies, systems that cannot be re-engineered overnight. Each requires negotiation, testing, coordination.
When you probe further, say, a social engineering test against your MSP or SaaS provider, you learn that MFA can be undone with one polite phone call. Another fire to put out.
Now multiply that across thousands of users, across every device, cloud, and app. That is what doing the basics really looks like.
Once that’s done, you then have to keep up with attack techniques against MFA…
“Focus on the basics”. The phrase sounds comforting. But comfort is not security.
It is time we stop preaching hygiene and start teaching how to manage authentication and credentials at scale, with realism, effort, and cost disclosed in full transparency.