It’s easier than ever for small businesses to use two-factor authentication to protect their data. Here’s why you should.
It might be tempting to think that your business is safe from cyber-attacks if it has virus protection and a firewall. Of course, that’s not true.
The reality is that endpoint security won’t keep out every attacker, nor will it stop data thieves who have stolen passwords.
And password-related crime is a big problem in Australia. In fact, Australian businesses lost $3.8 million to “business email compromise scams” in 2018, according to the Australian Competition and Consumer Commission (ACCC).
This includes breaches where attackers hacked business email systems and impersonated the intended payment recipient, ACCC Deputy Chair Mick Keogh stated this month.
Which is why it’s a smart move to use two-factor authentication (2FA). If you’ve used a one-time access code to access your bank account or transfer money, you’re already familiar with 2FA. By requiring that code, 2FA stops an attacker who has your password from accessing your account.
This defense measure is now so important that it’s mandatory for accounting software providers in Australia.
Peace of mind
The good news is that 2FA systems are now much easier for small and medium-sized businesses to use to protect other systems, such as Office 365, email and VPNs.
“Ten years ago 2FA was a complete pain. Now, you can get software tokens on phones. It’s available at a much lower entry point and with less complexity,” says Nick FitzGerald, Senior Research Fellow at cybersecurity company ESET.
Your employees can use their smartphones to access 2FA, and single-tap authentication eliminates the need to re-type codes.
Depending on your choice of 2FA system, setup and management can be straightforward. You, or your IT provider, installs a 2FA application on a server and Active Directory integration and a web-based console simplifies setup and management.
FitzGerald recommends checking that the 2FA solution works with a wide range of applications. For example, if your employees use VPNs, you should check that the 2FA solution works well with the VPN as well as with their other critical applications.
Also keep in mind that 2FA ‘soft token’ apps provide better protection than purely SMS-based 2FA systems.
A 2FA application won’t stop all password-related attacks and isn’t immune to hackers – for example, it won’t prevent someone impersonating your managing director and convincing your finance manager to enter a 2FA code.
But it can minimise the risk of other phishing and social engineering attacks. And that should give you peace of mind if you’re concerned about your employees leaking passwords or losing a laptop.
Consider the risks
However, plenty of businesses haven’t woken up to the importance of 2FA, says FitzGerald. “Most people don’t think about two-factor authentication because they don’t see the value proposition,” he says.
He urges them to consider the repercussions of breaching various privacy regulations, such as Australia’s Notifiable Data Breaches scheme and Europe’s General Data Protection Regulation.
Customers won’t react well, if you fail to protect their personal information. That’s a possibility if you’re storing sensitive information or passwords in emails or Office 365 accounts.
“The risk of PII (Personally Identifiable Information) breaches crippling your business is increasing. As a business owner, you should be considering these things,” FitzGerald says.