How to create an effective data security strategy for your business – starting with 2FA

Small and medium-sized enterprise (SMEs) are under constant threat from cyberattacks.

But there are relatively simple steps businesses can take, such as implementing two-factor authentication (2FA), that will help stop most threats.

Read on for advice on how you can get started on an effective data security strategy for your organisation.

Here’s what we cover:

• What is 2FA and what does it mean for businesses?
• Why are SMEs more vulnerable than larger businesses?
• Why does my business need tighter security policies?
• What are the potential costs of not using 2FA?
• Why should you update your defences and policies?

What is 2FA and what does it mean for businesses?

In simple terms, 2FA is an electronic authentication method that lets the right users in and keeps the bad actors out.

2FA uses two factors to verify a user.

When 2FA is applied to a website, service or application, an individual will only be granted access once they have provided two forms of verification.

Let’s think of an example.

You add 2FA to your email account, which means anyone trying to access your account will need two forms of verification to access your email.

These forms – or factors – of authentication fall into the following three categories:

• Something you know, such as a PIN or a password
• Something you have, such as a mobile phone or secure USB key
• Something you are, such as fingerprint or facial recognition.

2FA provides an additional layer of security for users, businesses and the potentially sensitive information they hold.

Some SMEs might be concerned that adding required authentication factors creates an extra burden for their business and its users.

However, as we’ll explain below, 2FA is a minor adjustment that could save your organisation from some major problems.

Why are SMEs more vulnerable than larger businesses?

If you’re looking for a straightforward explanation as to why you should apply 2FA, then perhaps the easiest answer is this: it will make your business more secure.

The US Securities and Exchange Commission says SMEs are attractive targets because they’re easier to hack than larger organisations.

The reason is simple: SMEs face the same threat landscape as larger organisations but must do so with far fewer resources.

While most businesses (53%) believe their IT budgets will grow during the next 12 months, larger organisations remain more optimistic about the future: 64% of enterprises plan to raise IT budgets versus 45% of SMEs, reports Spiceworks Ziff Davis.

Large enterprises have been aware of the potential cyber risk for a long time, and may even have been the target of a cyberattack.

In most cases, enterprise IT chiefs are matching an increased understanding of cyber risk with a commensurate investment in security.

And many smaller firms are now adopting a range of security measures for the first time, partly due to the need to support increased levels of remote working.

SMEs globally will spend $90bn (£69bn) cybersecurity in 2025, up from $57bn (£44bn) in 2020, which represents a 10% year-on-year increase, according to researcher Analysis Mason.

Why does my business need tighter security policies?

SMEs need to implement a range of IT security controls to ensure their staff and their data are safe in a world of hybrid working.

There’s been a dramatic rise in the number of SME employees working from home due to the coronavirus pandemic.

What’s more, many of them will continue to work from home – at least for some of their working week.

Research suggests this shift to remote working has left small business owners feeling nervous.

More than three-quarters (76%) of IT decision makers in SMEs say they have more security concerns since the start of the pandemic, according to a survey by market research specialist Dynata and Avast.

Modern businesses are heavily reliant on an ever-increasing range of applications across devices.

Once employees are outside the safe confines of the enterprise firewall, it can be harder to ensure they’re working securely.

What are the potential costs of not using 2FA?

Microsoft has estimated that as many as 99.9% of the compromised accounts it tracks don’t use two-factor authentication.

Worse still, its research suggests just 11% of businesses globally have 2FA enabled to help protect highly sensitive information.

But what’s the worst thing that could happen if a user’s account is accessed?

Does it really matter if someone’s email or another business service is cracked open?

The simple answer is yes—and the potential damage could be catastrophic.

Credentials is the top category (44%) of compromised data in global SME breaches. Simple services such as email are often the gateway to a much bigger prize.

A corporate email account can include sensitive information, such as contract details and customer information.

Once an errant individual has access to one system, they’ll find it much easier to use the information they glean to access others—and the costs to your business can be great.

Almost a quarter (23%) of small businesses suffered at least one cyberattack in the past 12 months, according to insurer Hiscox.

The average annual financial cost of these incidents was as much as $25,000 (£19,000).

Building the reputation of your business takes years of work. This effort can be undone in minutes by a cyberattack.

Some estimates suggest 60% of small companies go out of business within six months of falling victim to a data breach or cyberattack.

Then there’s the potential financial damage from an attack.

From business disruption costs to legal fees and on to regulatory fines, small businesses that fail to keep their data safe could find themselves facing a significant and potentially unsurmountable bill.

Even if a company does survive, it’ll then face the remedial costs of putting business right after an incident.

Correcting those issues after the event will likely cost a lot more than a preventative solution that’s as simple to implement as 2FA.

Why should you update your defences and policies?

Cybersecurity remains a constant area of risk for businesses.

But the good news is that 90% of professionals now consider privacy a business imperative, according to Cisco.

In fact, more than 60% of professionals believe they’re getting significant business value from investing in IT security.

2FA is a straightforward tactic that stops most unauthorised access.

When something so simple can have such a large impact, can you really afford to not put the right processes and policies in place?

Consider applying 2FA as part of a three-step approach to security:

Assess your options

Most leading software tools now include built-in options for 2FA.

SMEs that want to create a holistic option to 2FA should consider a layered approach that provides policies, capabilities and dashboards to monitor and assess authentication to services.

Train your employees

There’s no point going to the trouble of implementing 2FA if some people aren’t using the technology.

Your security will only be as strong as the weakest point in the chain, so make sure 2FA is the business standard. Every employee should be signed up and every login to a system that holds sensitive data should require two-factor authentication.

Review your tactics

Implementing effective cybersecurity is an evolving process.

Whatever tactics you employ, the people who are trying to hack your systems will find new ways to put your data at risk.

Any IT security policy – including using 2FA – must be subject to a regular review to ensure data is protected. Create a plan for incidents and test worst-case scenarios.

A business that prepares is one that’s most likely to deal with a crisis successfully.

Want to know more about cybersecurity for your business? Check out how we use 2FA to keep your data safe.