Securing Your Business Accounts - The Basics

Securing Your Business Accounts - The Basics

As a stray from the norm, we are going to do a crash course in digital asset security; Put simply, How to protect your online accounts for your business and why it matters.

Let's talk about the why first.

According to ITRC (Identity theft resource center) a staggering 73% of small businesses reported suffering some form of cyber attack in 2023. - link

If you are not a nerd or IT company operator, there is a good chance you are using the same passwords across multiple accounts online.

This is a huge problem, for a myriad of reasons, made significantly worse when your bad password habits cross over to your business accounts. This problem is compounded when the passwords themselves , not just the habit, cross from personal to business.

Imagine waking up one morning to find your business Facebook page full of crypto ads, email accounts no longer accessible, or cloud storage accounts wiped. Or, even more embarrassing, your internal conversations, future plans, or customer data is stolen and leaked. It happens every day..

Even if that data or those accounts are fully (or partially) recoverable, at a minimum it's going to take a massive time or a financial toll on your business.

Still using the same password and email you created in middle school? There is a very good chance you're not the only one who knows it now.

I recommend checking your email address to see if is has been a part of any known breaches on “haveibeenpwnd” - link

The good news! These kinds of threats are almost completely preventable and it's not incredibly hard to do.

1) Passwords, Passwords.

The most frequent compromises can be mitigated by using strong, unique, randomly generated passwords for every online account.

You are not trying to prevent humans from guessing your passwords, you're trying to prevent computers, crazy powerful computers.

Here lies the problem - how do you remember them all?

Unless you are Raiman - you probably can’t.

That's where a password manager comes in.

A good password manager does three things:

  • It securely saves and autofill's passwords for you.

  • It offers a password generator to create new strong passwords.

  • It gives you tools to manage, share, and revoke access to specific credentials with specific people or groups as your organization grows (or shrinks).

Note: I want to reiterate something here - this is NOT a comprehensive guide and it does not cover all threat types. This is just the most common type of mistake and one of the easiest to solve.

The next obvious question - why would you trust a single account (password manager) to store the logins to all your other accounts?

The best password manager will be routinely audited for security. Furthermore it will store your data with zero access encryption (meaning, the company has no access to your data). Your private information will be secured by ONE very strong password you do need to know and remember.

Note: Proper zero access encryption does not just prevent the company behind the manager from accessing your sensitive data, it also prevents threat actors from accessing your data if the company behind the password manager is breached and data is stolen.

My choice for a password manager is

Bitwarden meets every point I would want from a manager. The technology is open source, the code reviewed, tested, and audited frequently, and they offer all the tools you could need for both personal and business use cases.

This could get long so I am not going to dig into how to use it here - Bitwarden has great documentation - link

FYI - if you want a breakdown of “how” reply to this email and let me know. If there is enough interest I'll create that and share it.

2) MFA - Multi-Factor Authentication

What is MFA or “multi-factor authentication”?

If you have ever had an account where, after inputting your password, you were sent a text message or email with a code or needed to accept a prompt on your phone to verify your sign in attempt, you have encountered MFA.

There are many types, and in most cases turning on any form of MFA is better than none.

The primary types of MFA (least secure to most secure):

  • SMS (text message)

  • Email

  • Prompt (trusted device)

  • TOTP (Authenticator App)

  • Hardware Key (Fido)

As mentioned above, any form of MFA is usually better than none.

It's a heavily debated topic, but generally SMS is considered the least secure and Hardware Keys are the most secure.

For most people, I recommend TOTP or “Time Based One Time Password”. This is often called “Google Authenticator” or just “Authenticator App”.

TOTP or an Authenticator App is great for a few primary reasons:

  1. It does not need internet

  2. It does not need a phone number

  3. It is incredibly hard to compromise

  4. It is widely available and quick to setup

I am not going to explain the technology today, but here are some links if you are interested:

Basics of TOTP by Keeper Security - link
More Technical Breakdown by Vaughn - link

But it essentially works like this:

  1. You download an app on your phone

  2. In the security settings of your online accounts you enable the “MFA” or “2FA” option that is called “Authenticator App” or “Google Authenticator”.

  3. Scan the QR Code from your new app

After setup, the next time you sign in, you will need to enter your password first (hopefully from a password manager now) and then be asked to enter a 6-digit code from your app (the code will change every 30 seconds).

My recommended apps for TOTP:

Aegis - Play Store Link

Ravio - Apple App Store Link

3) Useful Links

If you want to dig deeper into business security, the CISA (Cyber Security Infrastructure Agency) has some great information available.

Plain text URLs used in this email:

Photo by Philipp Katzenberger on Unsplash