If you’re a business owner you really have your hands full, every day, with the minutiae of running your business, balancing your books, orders, employees, scheduling, inventory, servicing customers, payroll, taxes …well, you get the idea as you’re living it every day.

But did you notice something missing from that abbreviated list of what consumes your time?


Security was missing from that list.

You might read that and think that I’m crazy, and that you do take security into account, and your office and systems are secure. Frequently, it’s not in the day to day operation of your business which is why we have statistics like this:

In the first 6 months of 2019 alone, over 3,800 data breaches were reported, with over 4 billion records being exposed as a result. If you broke it down evenly, that would be over 20 million records stolen every single day this year.

Unfortunately, these stolen records can contain crucial information about ourselves, with the most prevalent being an email address, password combination and/or user credentials. When bad actors get ahold of these credential lists, they usually start a process known as “credential stuffing,” meaning they try to use these stolen credentials at pretty much every financial and social site available on the internet. You can pretty much be assured that some username & password combination you have used on the internet is on a list somewhere, being used as I type this.

More bad news. Approximately 40% (conservatively) of all breaches targeted Small to Medium Businesses (SMBs) I’ll stop there as I could fill this article with examples, but I’m sure you get the point, data is a target, whether you want it to be or not.

With this in mind, it’s integral that you take preemptive steps to protect your data and your customers’ data by strengthening the protections of the technology these attackers are attempting to exploit.

The absolute best thing you can do to protect yourself is to utilize Two Factor Authentication (2FA) wherever you are able to do so. As indicated in its name, 2FA is a second “piece of evidence”, or factor  (in addition to your username and password) that you must provide in order to login to a site. That second factor can be biometrics like a fingerprint, using a cell phone to receive a short lived SMS PIN code, or authentication software on your mobile device.

With that in mind, if you use remote access to connect to your office and systems (who doesn’t nowadays), and you are not setup with a Virtual Private Network (VPN) to connect, then you should absolutely be requiring 2FA on that remote login access. Absolutely. No exceptions. Ever.

You should also have 2FA on your office machine logins. Yes, inside the office as well, because like an onion, there are many layers to security. It might seem onerous to get a second code to login everywhere, but that extra 30 seconds is nothing compared to the cost of having your office breached, data stolen and accounts drained.

2FA is a problem for those hackers, because if they successfully login to one of your accounts protected with 2FA, you’ve now increased the level of effort they have to exert exponentially, and they are going to move on to the next set of credentials.

Why are they going to move on? Because they are automating their attacks, they want to move with speed and scale, and with billions of credentials to cycle through, they are going to use the ones that don’t have 2FA required, going for the ‘low hanging fruit’.

Using 2FA helps you protect the data behind your login, whether it’s at your office, your payroll service or your bank, as your password(s) are more than likely already compromised and available, even more so if you re-use a password across multiple sites. 2FA is just one thing you can do amongst the myriad of measures you can take. I started with this one as it is one of the simplest to implement, and gives the ‘biggest bang for the buck.’

If you take away anything from this article, make it the following two nuggets of advice:

  1. Your credentials are already out there  — it’s wise to accept that and move to point #2.
  2. You can protect yourself and your business by requiring Two Factor Authentication (2FA) wherever you can, and if you’re entrusting a business with sensitive information and they don’t offer it, perhaps you should move to one that does.

Christopher Denton is a Principal Security Engineer with Intuit ProConnect. He’s been involved in all aspects of security for the last 20 years, with subject matter expertise in the areas of application security, network security, forensics, incident response, and threat modelling. He enjoys educating the industry about security issues and how to protect against them. Christopher lead the team to secure the products and e-file system for Intuit’s tax professionals and contributes to the IRS Security Summit to better safeguard taxpayer data across our industry. He lives outside of Dallas, Texas with his wife and 2 cats, where he enjoys cycling, Denver Bronco football and obstacle course racing.

Security stock photo by