In this blog, Nic Sarginson, Senior Solutions Engineer, Yubico, offers a few simple tips to help businesses shore up their security posture and reduce the risk of online fraud and cybercrime.
Yubico sets new global standards for simple and secure access to computers, mobile devices, servers, and internet accounts. The company’s core invention, the YubiKey, delivers strong hardware protection, with a simple touch, across any number of IT systems and online services. The YubiHSM, Yubico’s ultra-portable hardware security module, protects sensitive data stored in servers. Yubico is a leading contributor to the FIDO2, WebAuthn, and FIDO Universal 2nd Factor open authentication standards, and the company’s technology is deployed and loved by 9 of the top 10 internet brands and by millions of users in 160 countries. Founded in 2007, Yubico is privately held, with offices in Sweden, UK, Germany, USA, Australia, and Singapore. For more information: www.yubico.com.
You probably agree with the fundamentals of keeping your physical premises safe. You lock doors and windows, set a burglar alarm and keep valuables shut away. Perhaps you’ve installed a camera or two or hired a security guard.
But what about securing your online identity?
In today’s ultra-connected landscape, there is no escaping the need to protect digital assets. From ecommerce businesses using an array of different digital tools and datasets, to predominantly offline organisations simply looking to keep their email and social media accounts safe and secure, all SMEs need to think about online security.
There are many different aspects to following good online security hygiene, and in this blog you will find a five-point guide to help you shore up your security posture and reduce the risk of online fraud and cybercrime.
Step One: Strengthen your passwords
This is perhaps the most recognisable pillar of online security because it is the most widely used form of authentication. However, poor password practices — keeping default settings, using common passwords like ‘password’ or ‘123456’ or repeating them across many different accounts or services — continue to plague users. All of these leave you vulnerable to even the most uneducated hackers.
A report carried out by Ponemon and Yubico found that 51% of individuals in the UK reuse an average of five passwords across business and personal accounts. This makes your accounts far easier to hack, and by gaining access to one account, an attacker could quite easily crack another.
Let’s make these issues a thing of the past. The first logical step to strengthen your online security is to introduce complex passwords using a series of letters, numbers and symbols and avoid memorable dates, names or locations. If you’re worried about remembering multiple credentials, introduce a password manager like Dashlane or LastPass; these can store and generate unique, complex passwords to keep sensitive or important information safe.
If you want to eradicate passwords altogether, consider enabling passwordless authentication. Earlier this year, FIDO - of which Yubico is a member - and W3C jointly introduce WebAuthn, a standard that allows all major browsers to support passwordless authentication through hardware keys or secure authenticator apps. We have been working closely with Microsoft to implement the new standard, with users now able to log in to personal Microsoft accounts with a touch of the YubiKey; you can read more about our partnership and supported services here.
Step Two: Avoid sharing important credentials
It doesn’t matter how strong your passwords are – if you share them with other users, no matter how trusted you think they are, you have ruined their effectiveness. The same research found that a massive 69% of users share passwords with colleagues for account access.
While it is easy to understand why organisations, particularly SMEs, may feel that sharing credentials is operationally useful - enabling colleagues to quickly get access to key information and services - it puts the organisation at a huge security risk. Far better to work on ensuring that each individual user has access to exactly the services and information they need, and materials that require shared access are placed in collaborative structures like Google Drive (which has added two-factor authentication).
Step Three: Only use trusted partners and services
Your organisation is only ever as secure as the least secure partners and services it is connected to. If you provide a third party with a list of all your customers’ names and contact details, perhaps for marketing purposes, and that third party suffers a security breach, then you remain responsible under the terms of regulations such as GDPR. There can be an enormous knock-on effect in terms of your reputation and your bottom line.
Don’t be afraid to ask third party partners and services to demonstrate, in great detail, how they are going to protect your data and your network. Ask for certifications, references, authentication methods and credentials where relevant.
Step Four: Don’t open untrustworthy links
Links to compromised websites or infected content are one of the easiest ways for cybercriminals to trick or coerce individuals within your organisation into allowing them access. It is important for all staff, from the most junior to the most senior, to be aware of this risk, and to avoid opening links from unvalidated sources or those that look like they have been compromised. This requires a comprehensive and dynamic approach to educating users on safe online practice.
Step Five: Deploy two-factor authentication (2FA) for ultimate protection
2FA (two-factor authentication) is one of the most cost-effective and reliable means of increasing your organisation’s online security and shoring up weak password practices.
Yet despite the well-documented benefits of 2FA, the same research by Ponemon and Yubico found that 67% of respondents do not use any form of two-factor authentication in their personal life, and 55% do not use it at work. This leaves room for improvement.
2FA involves adding an additional layer of verification beyond an initial password or PIN number – making use of either something the user knows (another password or code), something they are (biometric data such as a fingerprint) or something they have (an additional method such as a YubiKey, which delivers strong hardware protection with a simple touch).
Online security is a multifaceted and ever-changing field, but by getting these basic principles right, even the smallest business can make a significant difference to its security posture.