This article looks at the measures that all companies should take to ensure that their business accounts remain secure and protected.
Secure endpoints and BYOD
One of the first steps to consider is endpoint security. In the past, office work stayed on desktops all housed within a physical space. Now it is common that laptops and personal devices are used for working remotely as much as they are in an office. While this has certainly been beneficial in terms of wellbeing and productivity, this has resulted in a huge increase in the number of devices accessing company accounts.
While business devices are likely to be set up with a suitable level of security software, personal devices offer no such guarantees. Introducing a bring your own device (BYOD) policy is an excellent way to set expectations of the level of security that must be adhered to before company accounts and documents can be accessed on a personal device. In some cases, this could include providing antivirus and endpoint tools. Software prerequisites could be seen as contentious, so there must be transparency regarding exactly what tools are going to be installed and why.
A simple measure to protect accounts is to activate two-factor authentication (2FA) wherever it is available. When logging in from a new device, the user will have to provide both a password and a code - often sent via text or through an authenticator app. This means that should a password be stolen, the account will remain secure.
A major benefit to 2FA is that many commercial accounts, such as online shopping, banking apps, and social media, already use this feature. Staff should, therefore, already be comfortable with this process.
Use a password manager
Having strong passwords is a bedrock of cybersecurity and is especially important for business accounts. This is not too difficult with personal accounts, but if there are numerous users, each with their own login, every single password has the potential to increase the attack surface and become an entry point for a malicious hacker.
A strong password should use a combination of upper and lower cases, numbers, and other characters and be unique to every user’s account. However, as this could quickly become complicated for staff who have to switch between multiple accounts to complete their work, there is a risk that some may opt for the convenience of simpler passwords.
To find a balance between convenience and security, consider implementing a password manager. In doing so, everyone’s passwords will be remembered automatically, leaving users to remember just one complex password each. Better still, many password management tools can also generate new passwords and offer administrative access for superusers.
Keep software up to date
Notifications while working can be a major distraction, knocking people off their rhythm and stalling concentration. It is no surprise then that so many simply opt for ‘remind me later’ when told that updates are available.
In the majority of cases, updates to software, OS, or security tools are for a good reason, such as implementing protection against a new threat or fixing security loopholes. Using devices that are not updated could undermine your business security, and so updates and patches should be implemented as soon as they become available. Many services provide automatic update options, which should be activated wherever possible to ensure that every device with access to company accounts is not unnecessarily exposed by vulnerabilities.
Within an organization, there will likely be some regular changes in personnel over time. On some occasions, clients, contractors, and freelancers may also require account access. These new users should be required to follow the same security policy as anybody else on your staff, but what happens when they leave or no longer need access? It can be very easy to forget to revoke access, but the result is multiple unmonitored access points. Keeping a close eye on who needs access and removing it as soon as it is no longer required is a simple and effective way to minimize your company’s attack surface and protect your business accounts.
Similarly, the number of people with access to certain sensitive documents is often far higher than those who require it. Simply being able to access files or having admin privileges due to position in the company creates a string of unnecessary access points. Put simply, fewer active user accounts mean fewer avenues for a phishing scam or malware attack to succeed. Access to accounts and the relevant user permissions within it should be closely monitored and, where possible, restricted to only those for which it is essential.
Reduce human error
While human error could be the result of a malicious user, it is usually the result of carelessness due to a lack of training and experience. For example, emails from banks, other companies, and even co-workers can often look very genuine at first, only to be revealed as a phishing scam on closer inspection.
Similarly, many people may not think twice about connecting to free Wi-Fi services at airports, train stations, and other public locations. In fact, not only are these often unsecured but are common targets for cybercriminals looking to intercept the sensitive information being transmitted. Instead, you could provide employees who regularly travel with a dongle, a portable USB stick that provides internet access. Staff who need to use the internet remotely infrequently could connect to the web using a password-protected hotspot via their smartphone.
No matter how tech-savvy you or your employees are, most people have at least had one close call. While human error will continue to be the primary source of data breaches, providing regularly updated training on cybersecurity will go a long way to minimizing the risks. The most basic training package should ensure all members of staff are:
Aware of the risks to your business accounts
Able to identify suspicious activity (such as unsafe emails and websites, and unusual computer activity)
Knowledgeable enough to use tools such as a VPN in public places
Develop a holistic security policy
For many smaller companies, it may feel like the data breaches that make headlines are not likely to impact day-to-day operations and are put aside due to limited resources. However, this is a dangerous strategy. When 60% of small and medium businesses fold within six months of an attack, the risks are too great. Security should not only be treated with a ‘when, not if’ strategy, but also integrated into daily operations.
While endpoint security is key to ensuring protection against threats, reducing human error, raising awareness, and ensuring best practices are adhered to can go a long way towards protecting company accounts.
In reality, most hacks and data breaches are not due to elaborate targeted attacks, but by confidence tricks that draw out valuable information through phishing and other techniques. One of the most effective ways to protect online accounts is to make sure that staff are fully trained and prepared to identify suspicious activity. Equality is important to make sure that there is a clear process and chain of command for identifying who needs to be informed and ensuring that staff feel comfortable raising concerns when they are unsure. Much like a fire drill, it is best to act quickly and decisively rather than hesitate.
Training should not be a one-off event and regular updates need to become part of the company culture, ensuring that the importance of personal responsibility is underlined and understood.