For just about any kind of business, one of your most valuable assets is your data. Whether you manufacture physical goods or sell digital content, the data about your company is crucial to your survival.
From emails to accounting data, from business plans to blueprints, your digital data is the oil that keeps your gears spinning smoothly. If you lose that data to hackers, or if your data gets held captive by ransomware, your business will be at risk.
High-profile cases abound, from celebrities whose photos are stolen and shared on line to political candidates whose emails are pilfered. And if someone gets into some of your accounts – such as your website or social media accounts – they can damage your company’s reputation. While there is no 100 percent foolproof way to protect your data, the one thing you need to do is use two-factor authentication to protect your accounts.
Why Startups Need Two Factors
In computer security, it is well known that one layer of security isn’t enough. Your accounts are protected by the combination of your user name and password, but many people use weak passwords (the most commonly used password is, regrettably, 123456).
Two-factor authentication (2FA), or, as it is sometimes called, two-step verification, ensures that when you sign into an account you are who you say you are. In addition to something you know — your password — you have to provide something you have, a second factor. That bit of information is generally a six-digit code that you receive by SMS or another method, and that generally expires if you don’t use it within a few minutes.
Many service providers offer 2FA in one form or another. You can use it to protect your email, your LinkedIn and Amazon accounts, your iCloud account, your Dropbox account, and more. And you need to protect all the accounts your business uses for social media: Twitter, Facebook, Instagram, and others.
When you go to log into an account where 2FA is active, you may receive a code by SMS, but SMS is inherently insecure. (It’s still better than nothing.) With some services, you can also use an “authenticator app,” which stores information about your account and generates a code on demand. These codes are generally valid for only thirty seconds, so are far more secure. And with some accounts you can also use a hardware device such as a dongle that you plug into a computer, or a Bluetooth device.
It’s most important to protect those services you use to store your company’s data, and make sure that all your employees use 2FA. Here’s how you can set this up for the most common services you are likely to use.
Google and Gmail
If you use Gmail for your business’s email — and use Google’s other services, such as Google Docs, Google Drive, etc. — you can start setting up two-step verification on this page. Click Get Started and follow the instructions. You can choose to get login codes in two ways: using an authenticator app — Google Authenticator for iOS or Android, or Authy — and some password manages, such as 1Password include this feature. You can also set up a backup method, such as SMS; you may need to use this if you don’t have your phone, or can’t run the authenticator app.
Since you don’t want to be locked out of your account, you can set up additional alternative methods of getting a login code. Google offers the ability to set up backup codes that you can print out and take with you, use Google prompt on your phone, or use a hardware security key.
Apple
Apple’s approach is different. Sign into your account on Apple’s Apple ID website. In the Security section, under Two-Factor Authentication, click Get Started. This walks you through the process, setting up a first trusted device, then showing you how to log into your iCloud account with other devices.
When you want to log into your account or set up a new device, you see a dialog on one or all of your trusted devices saying that someone wants to sign into your account from a certain location. (Sometimes those locations are incorrect, however, because your device may seem to be in the location of an ISP’s server that’s far from where you are.)
If you click or tap Allow, you see a dialog showing a six-digit code:
The problem with this is that if you do not have any of your Apple devices, it can be harder to get into your account. Say you’ve lost your phone and you’re in an airport; you’ll need to use a recovery key that you set on the Apple ID website. But you can, and should, also add trusted phone numbers for a friend or colleague, so they can get an SMS with a code to allow you to access your account.
Other accounts
Many other services let you set up 2FA. Here are links for the ones you’re most likely to use. Check with other service provides — such as your web hosting company, your domain registrar, your online accounting software provider, etc. — to see if they, too, offer two-factor authentication.
These days, any site or service should offer 2FA if you store important or sensitive data with them. This website contains a detailed database of sites and services that offer 2FA — and the ones that don’t — so you can easily check here for any other sites you use and follow links to turn on two-factor authentication.