Blog | May 01, 2026
Blog: MFA May: one simple step to strengthen county cybersecurity
County governments manage a wide range of critical services and sensitive information, which make them an attractive target for cybercriminals. Fortunately, one of the most effective cybersecurity practices is also one of the simplest: multi-factor authentication (MFA).
That’s why TAC recognizes MFA May, a national effort to raise awareness about this important security tool.
What Is MFA?
Multi-factor authentication adds an extra layer of security when logging into an account. Instead of relying on just a password, MFA requires more than two forms of verification such as a code sent to your phone, an authentication app or a fingerprint.
It combines:
- Something you know, like your password
- Something you have, like your phone or a code
- Something you are, like a fingerprint or face scan
Even if a password is compromised or stolen, MFA makes it much harder for someone else to access the account.
Why MFA Matters for Counties
Many cyber incidents begin with stolen or guessed passwords, often through phishing emails. Once attackers gain access, they can move quickly to disrupt operations, access data or deploy ransomware.
Matt Bruns, TAC IT systems and security manager, said if the hackers are successful, the ramifications could be severe.
“There might be data loss and federal penalties for private health information that’s lost,” Bruns said.
According to the Cybersecurity and Infrastructure Security Agency, MFA makes users 99% less likely to be hacked.
“Not all cyber attacks result in a data breach, but if it does, a county may be down for weeks, months on end,” said Robert Ruiz, associate director of TAC Risk Management Services.
Cybersecurity Best Practices for County Governments
Though MFA is effective, it’s important for county employees to remain vigilant.
“There are ways where hackers can get around multi-factor authentication,” Bruns said. “So it’s still important, even if you do have multi-factor authentication in place, to be very careful about links that you click on or attachments that you open.”
Hackers occasionally use a technique called “MFA fatigue,” in which they flood someone’s MFA notifications until the person gives in and grants access. This happened in 2022 with Uber, which gave the hacker access to valuable information.
That’s why cybersecurity training is so valuable. TAC County Information Resources Agency (CIRA)’s cybersecurity course is educational, affordable and meets the requirements of Texas Government Code § 2054.5191.
Other cybersecurity best practices include:
- Refrain from using the same password for multiple accounts.
- Reduce the use of shared emails. The more people who have access to an account, the more likely it is to get compromised.
- Conduct an audit with a manager or county attorney to decide what personal information employees have access to.
“I think of MFA kind of like vampires,” Bruns said. “You might have the best locks and alarm systems, but if you open your door and invite them in, those things don’t matter.”
Setting up MFA
Though MFA may seem annoying, Ruiz says it’s worth it.
“MFA is inconvenient for the 30 seconds that we have to interact with it, but I’ll take that 30 seconds of inconvenience compared to what happens when we don’t have it,” Ruiz said.
Setting up MFA only takes a few minutes. TAC CIRA members with email services can add MFA for free by emailing support@county.org.
“MFA is a critical layer for cybersecurity,” Ruiz said. “It’s not a best practice anymore; it’s a baseline requirement that counties need to embrace. It’s probably one of the best returns on investment because of what it can do.”