How to create an effective data security strategy for your business – starting with 2FA

Small and medium-sized enterprises (SMEs) are under constant threat from cyberattacks.

The good news is that businesses can take relatively simple steps that will help stop most threats. And implementing two-factor authentication (2FA) is a great way to get started on an effective data security strategy for your business.

Here’s what we cover:

• What is two-factor authentication?
• Why are SMEs more vulnerable to cyberattacks than larger businesses?
• Why does my business need tighter security policies?
• What are the costs of not using 2FA?
• Why should I update my business’s defences and policies?

What is two-factor authentication?

Two-factor authentication (2FA) is an electronic authentication method that keeps the bad actors out and lets the right users in.

When 2FA is applied to a website, service, or application, an individual will only be granted access once they have provided two forms – or factors – of verification. 2FA provides an additional layer of security for users, businesses, and the potentially sensitive information they hold.

For example, when you add 2FA to your email account, anyone trying to access that account will need two forms of verification. 

These fall into three categories:

• Something you know, such as a PIN or password,
• Something you have, such as a mobile phone or secure USB key, and
• Something you are, such as your fingerprint or facial recognition.

Some SMEs may be concerned that adding required authentication factors will add to the burden on their company and its users. However, as we’ll see below, 2FA is a minor change that could save your company from major problems.

Why are SMEs more vulnerable to cyberattacks than larger businesses?

SMEs are attractive targets because they’re easier to hack than larger organisations. This is because SMEs face the same threat landscape as larger organisations, but most have fewer resources to detect and respond to threats. What’s more, large businesses have been aware of the potential of cyber risk for a long time and may even have been the target of a cyberattack.

In most cases, enterprise IT leaders match a greater understanding of cyber risk with a corresponding increase in security investment. South African corporations are investing more resources in security because they are acutely aware of the risks posed by cybercriminals exploiting the changing work environment. In fact, research found that 41% of South African businesses reported spending more on cybersecurity than the industry average in the wake of COVID-19.

Smaller firms are now adopting a range of security measures for the first time, partly due to the need to support increased levels of remote working.

SMEs globally will spend $90bn (R1.4 trillion) on cybersecurity in 2025, up from $57 billion in 2020, representing a 10% year-on-year increase.

Why does my business need tighter security policies?

SMEs need to implement a range of IT security controls to ensure their people and data are safe in a hybrid working world, which many businesses believe will become the norm.

Understandably, the shift to remote working has made small business owners nervous. Modern businesses rely heavily on a growing number of applications across devices. When employees leave the confines of the enterprise firewall, it can be more challenging to ensure they are working securely.

In fact, more than three-quarters (76%) of IT decision-makers in SMEs say their security concerns have increased since the start of the pandemic.

Simply put, applying 2FA will make your business more secure.

What are the costs of not using 2FA?

Microsoft has estimated that as many as 99.9% of the compromised accounts don’t use two-factor authentication. And just 11% of businesses globally have 2FA enabled to help protect sensitive information.

But what is the worst that could happen if a user’s account is compromised? Is it really important if an outsider accesses someone’s email or another business service? The simple answer is yes, and the consequences could be disastrous. Services such as corporate email are often the gateway to a much bigger prize, such as user credentials, contract details, and customer information.

Once an unauthorised individual gains access to one system, they will find it much easier to use the information they obtain to gain access to other systems — and the costs to your company can be significant.

The Mimecast State of Email Security 2022 report found that 94% of South African companies have been targeted by an email-related phishing attack in the past year, with nearly two-thirds citing an increase in such attacks.

Building your business’s reputation takes years of work that can be undone in minutes by a cyberattack. Some estimates suggest that 60% of small companies go out of business within six months of falling victim to a data breach or cyberattack.

Then there are the financial ramifications of an attack. Small businesses that fail to protect their data may face significant and potentially insurmountable costs, ranging from business disruption costs to legal fees and regulatory fines. Even if a company survives, the costs of damage control will be incurred immediately following an incident.

Correcting those issues after the event will almost certainly be much more expensive than a preventative solution as simple to implement as 2FA.

Why should I update my business defences and policies?

Cybersecurity is a constant and evolving area of risk for businesses. 

According to Cisco, 90% of professionals now consider privacy a business imperative, and more than 60% of professionals believe they get significant business value from investing in IT security.

2FA is a straightforward tactic that stops most unauthorised access. When something so simple can have such a significant impact, can you really afford not to put the right processes and policies in place? 

Consider applying 2FA as part of a three-step security approach:

1. Assess your options

Most leading software tools now include built-in options for 2FA.

SMEs that want to create a holistic security solution including 2FA should consider a layered approach that provides policies, capabilities, and dashboards to monitor and assess authentication to services.

2. Train your employees

It’s pointless going to the trouble of implementing 2FA if some people aren’t using it.

Your security is only as strong as the weakest link in the chain, so make sure 2FA is the business-standard. Every employee should be registered, and any login to a system containing sensitive data should require two-factor authentication.

3. Review your tactics

Implementing effective cybersecurity is an evolving process. Whatever tactics you employ, the people trying to hack your systems will find new ways to put your data at risk.

Any IT security policy – including using 2FA – must be subject to a regular review to ensure data is protected. Create a plan for incidents and test worst-case scenarios. A business that prepares is one that’s most likely to deal with, and recover from, a crisis successfully.