Two-factor authentication (MFA) – little pain, big gain
The rise and rise of the cloud
The use of cloud computing continues to grow rapidly. Packages such as Microsoft Office 365 and Google G Suite are very widely used across businesses of all sizes for a multitude of purposes, including e-mail, file storage and file sharing.
Legislative requirements are also driving wider adoption of functionally specific software, including cloud accounting to meet HMRC’s ‘Making Tax Digital’ requirements. Many businesses will be familiar with well-known packages such as Xero and QuickBooks Online.
Popular, but also a target
Whilst cloud computing is flexible, easily scalable and often the most cost-effective solution (especially for small businesses), there are risks, particularly around security. Popular products attract the attention not only of people seeking the benefits, but also the attention of cyber criminals. It is inevitable a proportion of users will not take even the most basic precautions to protect themselves. And with millions of users, this makes them a target.
The standard method for accessing cloud services is via a username and password. However, given the value of the data contained within businesses’ cloud-based systems, this is now widely considered to be a disproportionately weak approach.
Usernames are typically a person’s e-mail address; these are easy to find out or guess. And because people have so many different passwords nowadays, many people resort to things that are easy to remember. Easy to remember, but therefore also easy for password-cracking software to guess. Examples of commonly used passwords are: QWERTY, Password123, Pa$$word123
People also fall into the trap of using the same password across multiple systems. If one system is hacked, the door is then easily opened to many other accounts. For example, if your personal Facebook password is compromised, and you have used that same password for your work Office 365 account, then that work account becomes an obvious target. It does not take a criminal long via your LinkedIn profile to find out your current place of work, guess your work e-mail address and see if the password you used for Facebook gets you into the company systems.
Two-factor authentication – a big leap forward
Users are often unaware of readily available tools to manage the potential downsides. Two-factor authentication (2FA) is one of these key defence mechanisms. It is a very strong layer of protection that can be enabled on most popular cloud software. A practical example would be receiving a unique code to your mobile phone; you need to enter this in addition to your user name and password before accessing cloud services.
The common objection to 2FA is that it is an inconvenience to users. However, this objection needs to be compared with the significant uplift in security it provides. Consider the inconvenience and potential damage if your company’s cloud services were comprised by a cyber attack which would have been prevented by 2FA. And consider the inconvenience to the criminal who does not have your phone and therefore the code they need to attempt the hack in the first place.
The UK Government recognises the value of 2FA. The National Cyber Security Centre (NCSC) has published advice for business on its website:
https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services
In short, if 2FA is available and feasible to implement, the pros far outweigh the cons.
Good advice for work and home
2FA is one of the biggest single measures you can take to protect your business systems, but the advice is equally applicable to the services so many of us use in our personal lives. Facebook, Amazon and LinkedIn to name a handful of the most popular ones all support 2FA. The NCSC has also published information for individuals and families on this topic: https://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-2fa
Helpful links for enabling 2FA
These are external links to the providers help pages, but give detailed assistance on how to enable additional protection
