Simple security for every small business

If you’re a business owner, you really have your hands full, every day, with the minutiae of running your business, balancing your books, orders, employees, scheduling, inventory, servicing customers, payroll, taxes … well, you get the idea, as you’re living it every day.

But, did you notice something missing from that abbreviated list of what consumes your time?

Security.

Security was missing from that list.

You might read that and think that I’m crazy, and that you do take security into account, and your office and systems are secure. Frequently, it’s not in the day-to-day operation of your business, which is why we have statistics like this:

In the first 6 months of 2019, alone, over 3,800 data breaches were reported, with over 4 billion records being exposed as a result. If you broke it down evenly, that would be over 20 million records stolen every single day this year.

Unfortunately, these stolen records can contain crucial information about ourselves, with the most prevalent being an email address, password combination, and/or user credentials. When bad actors get ahold of these credential lists, they usually start a process known as “credential stuffing,” meaning they try to use these stolen credentials at pretty much every financial and social site available on the internet. You can pretty much be assured that some username and password combination you have used on the internet is on a list somewhere, being used as I type this.

More bad news. Approximately 40% (conservatively) of all breaches targeted small to medium businesses (SMBs). I’ll stop there, as I could fill this article with examples, but I’m sure you get the point: data is a target, whether you want it to be or not.

With this in mind, it’s integral that you take preemptive steps to protect your data and your customers’ data by strengthening the protections of the technology these attackers are attempting to exploit.

The absolute best thing you can do to protect yourself is to utilize two-factor authentication (2FA) wherever you are able to do so. As indicated in its name, 2FA is a second “piece of evidence,” or factor  (in addition to your username and password) that you must provide in order to login to a site. That second factor can be biometrics such as a fingerprint, using a cell phone to receive a short lived SMS PIN code, or authentication software on your mobile device.

With that in mind, if you use remote access to connect to your office and systems (who doesn’t nowadays?), and you are not setup with a Virtual Private Network (VPN) to connect, then you should absolutely be requiring 2FA on that remote login access. Absolutely. No exceptions. Ever.

You should also have 2FA on your office machine logins. Yes, inside the office as well, because like an onion, there are many layers to security. It might seem onerous to get a second code to login everywhere, but that extra 30 seconds is nothing compared to the cost of having your office breached, data stolen, and accounts drained.

2FA is a problem for those hackers, because if they successfully login to one of your accounts protected with 2FA, you’ve now increased the level of effort they have to exert exponentially, and they are going to move on to the next set of credentials.

Why are they going to move on? Because they are automating their attacks, they want to move with speed and scale, and with billions of credentials to cycle through, they are going to use the ones that don’t have 2FA required, going for the ‘low hanging fruit.’

Using 2FA helps you protect the data behind your login, whether it’s at your office, your payroll service, or your bank, as your password(s) are more than likely already compromised and available, even more so if you re-use a password across multiple sites. 2FA is just one thing you can do amongst the myriad of measures you can take. I started with this one, as it is one of the simplest to implement, and gives the ‘biggest bang for the buck.’

If you take away anything from this article, make it the following two nuggets of advice:

  1. Your credentials are already out there—it’s wise to accept that and move to point #2.
  2. You can protect yourself and your business by requiring two-factor authentication (2FA) wherever you can. And, if you’re entrusting a business with sensitive information and they don’t offer it, perhaps you should move to one that does.

Editor’s note: This article was originally published by SmallBizDaily.

Leave a Reply

Your email address will not be published. Required fields are marked *