Your office is taking advantage of technology to make work more efficient, and keep an ear to the ground. Tasks that would have required running back to the office now take a click of a button; information once stored in dozens of file cabinets is basically always available to whoever needs it the minute that they do.
Technology like smartphones and touchpads have made the modern world leagues more efficient as they become affordable to even the smallest businesses, but it’s not totally without its drawbacks, as those small businesses now have to consider matters of security, device management, and more.
For this article, the focus is 2FA. Yes, 2FA is a little annoying. But you know what would a lot more annoying? One of your employees losing their phone, and then suddenly your entire bidding folder is leaked off that one little slip-up.
This stat gets repeated a lot on this blog, because it’s always relevant: 2FA, or two-factor authentication, stops a whopping 99% of all bot attacks. That’s insane! Imagine a world where sparing an extra 30 seconds during a task like, say, getting in your car, would suddenly stop 99% of all accidents. Even seatbelts are not nearly that effective! A seatbelt reduces the risk of a life-altering injury or death by about half when worn correctly, according to the CDC, and it doesn’t stop the accident. Other industries wish they had some way to make their lives this much easier with such little work.
So – 2FA is important. But is it important for everyone in the organization, even the people who – in theory – don’t have access to much?
The answer is ‘yes’ there too. The state of the tech has changed. People who’d ordinarily interact with important files somewhat rarely are now able to interact with them on their phones. Additionally, files that were once hard physical paper are now digital. Employees who might be purely field technicians will still have access to systems via their Microsoft account that are valuable to hackers. If it’s data that needs to be secured, it’s data that needs to be properly secured, and proper security starts from the bottom with 2FA and goes up to correctly managed backups!
While lost devices can be locked, and accounts locked with them, it’s a risk that’s not worth taking. In the space it takes a technician to realize their device got left on a bus or went missing from their bag, it’s possible for someone to get to that device and guess the password. 2FA can stop that, and give IT time to lock the device and narrow down a location if the device has GPS enabled. Not to mention, it’s annoying and inconvenient to have to do that, and 2FA plus a good, strong password can turn a pants-on-fire emergency into just a minor incident, where the problem is not the entire system, but rather the actual device itself.
This also addresses the far more likely risk of an ex-employee successfully guessing a coworker’s password and getting into the system to wreak havoc – even if that employee’s password is known, the 2FA will provide some notification that someone’s trying to get in on a specific account and give that employee enough time to reset their password.
Think Twice
Obviously ransomware is terrible and you hope to avoid it, but other things – insider risks, phishing attacks, et cetera – can give quiet access to a bad actor who may be trying to do things like duplicate a company’s business contact list and walk off with it rather than the Klaxon-alarm style hacking that ransomwarers are fond of. 2FA can help shore up weaknesses here, too!
As mentioned above, insider risk management has many facets to it, and correctly managing your company’s policies can help! First things first – employees who have left or who have been asked to leave should always be locked out, without exception, even if they left on good terms. Assuming a best-case scenario, where the employee left and just happens to still have access that they never try to use, well, great: there’s an unmonitored account floating around, and if someone gets into it, it may take too much time to realize. An employee who left on bad terms should be locked out right away. However, a poorly secured system will have multiple ways to get in, and a former employee actively looking to harm a business might know some of them.
Going back to shared accounts, if they know the password, they can reset it – and lock the other people who were supposed to have access out. If they know another employee’s password, they might reset it, but they might also do something like quietly log in, move some things into or out of a shared drive, and then quietly log out. Today’s Microsoft is pretty good about warning when a new device has accessed an account, to the point that it’s almost kind of annoying, but that’s a notification that happens after the log in has already occurred. If an employee has 2FA enabled, they get a notification before the bad actor has access to their account!
Some general rules:
There should not be shared accounts. Not only does it make it basically impossible to give access to everyone who’s ‘supposed’ to have access to it in a timely manner and have 2FA on it (which is its own can of worms!) it also makes accountability much tougher. If three people work together from the hours of eight to five, and one of them used a shared account that’s used to manage faxes to send something they shouldn’t have, is it possible to prove who did it if nobody wants to own up to it? Are you going to have to install cameras and then wait until another incident happens to figure out who did it? The lack of 2FA is only the beginning of the problems this can cause! You’re better off not doing this for many reasons, the 2FA is only one of them.
2FA should be enforced! This seems obvious, but a lot of businesses operate on an assumption that employees will always be perfectly responsible and turn it on voluntarily. Nobody’s perfect! While making it optional grants a bit of additional flexibility in allowing them to turn it off, making it mandatory means nobody can ever forget to turn it back on. The good news is that modern Microsoft has very flexible policies, so if a phone number isn’t working, it can then send to an email, or vice versa.
Finally, employees should know what 2FA is and what it’s meant to do! 2FA is crucial – if employees don’t believe it’s crucial, they may try to avoid it. Sharing the details on what 2FA actually does and why it’s needed is important for employees to buy into the idea. Knowing what it does and when to expect it can also put a stop to some of the more common social engineering scams.
For instance – if you have 2FA set up with your bank, you’ll see a note warning you to never share that number with anyone else, and that nobody will ever call you to ask for it. If an employee is being phished, having that note attached might give them enough pause to ask a manager for advice, or hang up on the scammer. This is a step that would be missed without 2FA, and whoever got a password out of the employee just by calling might then cause problems for the business. Correctly training employees and enforcing 2FA makes some of these scams obsolete!
In Summary
While 2FA should not be the only protection your business has, it is a very valuable one, and is the front line to stopping bot attacks on your employees. In today’s age, it’s never been easier or more secure, or easier to implement! A simple Microsoft policy can ensure your employees will be guided through setting it up next time they log in. A system administrator can also manually add numbers or backup emails to a Microsoft account, so the inconvenience of actually getting locked out is reduced to basically nothing more than talking to IT.
Speaking of talking to IT – if this sounds daunting to set up, or if you’re looking for someone to help shore up weaknesses like a lack of 2FA, talk to us! We’re an MSP. Essentially, we act as the IT department for businesses that can’t have or can’t keep an IT department, whether it’s because the business is too small to justify the price tag of having a full employee who only does IT, or because there simply doesn’t seem to be a good fit out there. We can custom-fit a plan to get your business on track to true IT safety, with comprehensive Microsoft policies, enterprise-level software, and a team that’s entirely located right here in beautiful Las Vegas. We’ll set up 2FA, we’ll get policies rolling, and we’ll get you secured! Call us or schedule an appointment for a quote and a system overview here: https://elixistechnology.com/contact/
