Multi-factor authentication on your admin accounts. Tick. The IT manager rolled it out, the directors grumbled for a week, everyone has the Microsoft Authenticator app on their phone, and the cyber insurance form has a green box next to it. Job done. Except that around 80% of the restaurant groups we audit at CloudMatters have the same gap, and it is not on the admins. It is everywhere else. The accounts that actually run your estate day to day - the ones the duty manager logs into at 4pm on a Friday - are still sitting on a single shared password that has not changed in two years.

This is the post I find myself writing in my head every time I leave a security workshop. The hospitality sector got the first 60% of MFA right and then stopped. The remaining 40% is where the attackers are now living, and it is worth being honest about why.

The mistake: MFA on email, nothing on the rest

When a hospitality group tells me they have rolled out MFA, what they almost always mean is that they have enforced it on Microsoft 365 or Google Workspace for head office staff. That is genuinely useful - email compromise is still the most common entry point for finance fraud - but it is one slice of a much bigger identity surface. The rest of the surface looks like this.

Third-party SaaS tools that nobody put on the IT inventory: rota software, training platforms, food cost systems, allergen management, the marketing team’s email tool, the brand’s social scheduler. Most have MFA available. Most do not have it switched on, because nobody owns the account.

Vendor portals: the broadband provider, the EPOS supplier, the cloud telephony platform, the access control system, the kitchen ventilation monitoring portal. These are the accounts a determined attacker uses to pivot from “I have your password” to “I have changed your call routing and I am intercepting your card payment failures.” If you run a VoIP or cloud telephony platform, the admin portal is part of your attack surface.

Reservation platforms: ResDiary, SevenRooms, OpenTable, the bespoke booking widget on the website. These hold guest PII, payment tokens in some cases, and direct integrations into your EPOS. A reservation platform takeover is a data breach event under UK GDPR even if no card data moves.

EPOS back-office: the cloud portal where you load menus, push price changes and pull Z-reads. Most are username and password only by default. A surprising number still allow concurrent logins from anywhere in the world with no alerting.

PMS and channel managers in hotels: the same story, with the added joy that a compromise here lets the attacker move room rates, cancel bookings and email guests from a legitimate-looking address.

Telephony and contact centre tools: 3CX, RingCentral, 8x8, Gamma - admin portals that, if taken over, allow call interception, number porting and toll fraud that runs into five figures over a weekend.

Every one of those is part of your identity perimeter. If MFA is not enforced on it, MFA is not really enforced.

Why shared accounts are a special category of risk

The honest reason most of these gaps exist is that the accounts are shared. Six duty managers use the same login for the rota tool. Three head chefs share the food ordering portal. The marketing team has one Canva account because the per-seat cost adds up. Nobody owns these accounts, the password was set by someone who left in 2023, and MFA is treated as “impossible” because you cannot bind a single phone to six people.

Shared accounts fail in three ways at once. The password rarely rotates, because rotating it means coordinating across a shift pattern. There is no audit trail, so when something goes wrong you cannot tell who did it. And the moment one person leaves, the credential is in the wild, because nobody is going to change it that afternoon. Add the fact that hospitality has 70%+ annual staff turnover in operational roles, and you have a credential that has effectively been published.

The real fix

The right answer is to eliminate shared accounts wherever the underlying platform allows it. Most modern SaaS tools have moved to per-seat pricing precisely because shared logins are a security and licensing nightmare. The cost objection is real but usually smaller than people think once you weigh it against the cost of a breach. Push your suppliers - and if a vendor still cannot offer per-user logins in 2026, that is a procurement signal in itself.

Where you genuinely cannot avoid sharing - a single tablet at the host stand, a kitchen display the whole brigade uses - the answer is a business password manager with secure sharing (1Password Business, Bitwarden, Keeper) and MFA enforced on the underlying service. The shared secret lives in the vault, not on a Post-it, and the vault itself is protected by per-user MFA. When a duty manager leaves, you revoke their vault access and the credential is no longer in their head or their notes app.

SMS is not enough in 2026

While we are here: SMS-based MFA is better than nothing, but it should not be your default in 2026. SIM-swap attacks are real, they are cheap to commission, and we have personally cleaned up after two of them in the last twelve months - both targeting hospitality finance directors. The attacker socially engineers the mobile network, ports the number to a SIM they control, and the SMS code arrives on their handset instead of yours.

App-based MFA (Microsoft Authenticator, Google Authenticator, Duo) is the sensible baseline for almost everything. For high-value accounts - domain admin, finance, the EPOS back-office - move to phishing-resistant factors. That means passkeys where the platform supports them, or hardware keys (YubiKey, Feitian) for the accounts that need to survive a determined attacker. A pair of hardware keys per privileged user costs about the same as a round of drinks and removes an entire category of attack.

Conditional access for hospitality

Once MFA is enforced everywhere it can be, the next layer is conditional access - rules that say “this login is only allowed under these circumstances.” For a UK hospitality group the policies that earn their keep are:

  • Geography: block sign-ins from countries you do not operate in. If you have no sites outside the UK and Ireland, there is no reason for a Romanian IP to be hitting your finance director’s account.
  • Device compliance: only allow access from devices that are managed and patched. This is where a managed network and a proper MDM rollout pay off, because you can actually enforce the rule.
  • Risk-based: Microsoft Entra and Google both offer risk scoring on sign-ins. High-risk attempts should require step-up authentication or be blocked outright.
  • Legacy protocol blocking: disable IMAP, POP and basic auth across the tenant. Most credential-stuffing attacks rely on these older protocols precisely because they bypass MFA.

None of this is exotic. All of it is included in licences your group is probably already paying for.

A one-hour audit you can run today

You do not need a consultant for this first pass. Block out an hour, get the IT manager and one ops person in a room, and work through the following.

  1. List every system the business logs into. Start with the head office app drawer, then walk through a duty manager’s day at site level. You will find ten to fifteen systems you had forgotten about.
  2. For each one, write down: is MFA available, is it enforced, is the account shared, and who owns it. Be honest about “enforced” - if it is optional and three people have skipped it, it is not enforced.
  3. Flag every shared account in red. These are your priority list.
  4. Flag every SMS-only MFA in amber. These are your week-two list.
  5. Check your Microsoft 365 or Google sign-in logs for the last 30 days. Filter for failed sign-ins from outside the UK. The number will surprise you.
  6. Check whether legacy auth protocols are disabled at the tenant level. If you do not know, they probably are not.

At the end of the hour you will have a one-page picture of your real identity posture, not the version that lives in the cyber insurance form. From there it is a prioritisation exercise, and most operators can close the worst of the gaps inside a fortnight.

MFA is not a tickbox. It is a programme, and the programme is not finished when the admin accounts are covered - it is finished when an attacker who steals one of your credentials cannot do anything useful with it. If you want a hand running the audit across your estate, that is exactly the kind of work our cyber security team does for hospitality groups every week. Drop us a line and we will scope it properly.