As digital systems have become more powerful and critical in delivering our business processes, so too has the importance of their security. It can be easy to forget how much data is held within these systems, from business financial data and customer data, to employee information and other personal data. If commercially sensitive data is found in the wrong hands, it can impact on trust, confidence and future sales. A breach of personally identifiable information is even more serious as it can lead to fines issued by the ICO in the UK, or other national regulatory bodies.

In platforms used to run surveys such as an all-employee staff survey or a 360-feedback survey for example, it is very common to hold personally identifiable information (pii) or sensitive information either to enable personalised invitations, more insightful analysis, or simply because employees have named individuals in their responses. This is why protecting your survey data with appropriate security measures is more important than ever and why SocialOptic has Two-Factor Authentication (2FA) as a standard feature for all users of SurveyOptic, reducing the risk of unauthorised access, even if login credentials are compromised. With 2FA, our customers can benefit from an additional layer of security whenever they access their accounts.

What is two-factor authentication (2FA)?

Two-factor authentication (2FA) requires a user to provide an additional piece of information when logging in. Specifically, a username or password, plus an additional factor. So for example, firstly someone will log in normally using their password, then after this, they are ‘challenged‘ to provide something else, the ’second factor’. The ‘something else’ provides an additional code or verification from something the user has (or has access to) such as a text message, an email, a device that generates a passkey, for example an app on their mobile phone, or a biometric property like a fingerprint or face ID.

Traditionally, hackers usually gain unauthorised access to accounts by obtaining someone’s username and password. There are many ways can do this, from straightforward methods like guessing someone’s password, or buying it from someone else with access to that information, to more technical methods such as man-in-the-middle attacks and brute force attacks and password spraying. Requiring two separate pieces of information makes it more difficult for someone to gain unauthorised access to the system.

Two-factor authentication is widely used and is a requirement of most security policies. You may have encountered it when using online banking or banking apps, office applications, or social media platforms. Two-factor authentication strikes an excellent balance between security and ease of use, and represents an easy-to-use method to make user accounts more secure, which is why it is a requirement for every system in use for an organisation wanting to meet the Cyber Essentials security standard.

Why aren’t passwords enough?

Passwords are the most common method of account security. However, passwords are vulnerable to many human and real-world weaknesses, and don’t guarantee that only the intended person is able to log in. As long as someone, anyone, has the username and password, they would be able to log in. Some of these weaknesses include: 

  • People selecting easy to guess passwords like ‘123456’ and ‘password’. Here are some of the most commonly used passwords. Easy to guess passwords are more common than you might think. For example, according to one study 59% of Americans use their name or birthdate in their password. 
  • People writing down their passwords in order to remember them, leaving the passwords vulnerable to theft.
  • Passwords seen over the shoulder, for example while in a public place or by a window.
  • Interceptions through man-in-the-middle attacks and cracking through brute force attacks.
  • Social engineering – criminals making use of carefully engineered social situations and force to trick users into handing over their passwords. Or sometimes just giving their password in exchange for chocolate.

Many systems use an email address as a way for a user to re-claim access to their account if they have forgotten their password. Sadly, one of the most common security breaches involves a hacker getting access to your email account. Once they have done this, they can issue password resets for all of the systems that you use, giving them full access. 2FA prevents this, as they would also need access to your 2FA token before they could gain access to your accounts. It is a simple, but powerful, extra protection.

What are the risks of not protecting data?

The risks of not protecting your data can be broad and far reaching, impacting both you as a business or organisation and the individuals whose data you have breached (more information can be found in this guide from the ICO). The commercial risks such as loss of business, reputation, or loss of intellectual property can have a serious impact on a business, often even forcing it to close down. 

Then there are the consequences of failing to uphold data privacy law. In the UK the ICO (Information Commissioner’s Office) enforces data privacy law and has the power to issue substantial fines. Fines are determined on a case by case basis but can reach up to £8.7 million or 2 per cent of your global turnover for failure to notify the ICO of a breach when required to do so. This ceiling is raised to a higher 17.5 million or 4% of your annual worldwide turnover for serious breaches of the data protection principles. So between this and the risks of any personal and business damages, protecting your data is certainly worth the investment. Cutting corners on cheaper, less secure platforms or cutting out user training and audits is a very false economy.

The take-home

2FA is easy to implement and is the most effective step you can take to secure your sensitive data. Without 2FA, your data is vulnerable to attack, exploitation, or loss. Fortunately, the SurveyOptic platform includes 2FA as standard for all customers, giving peace of mind that personally identifiable data and other business critical data is safe.

Photo by Onur Binay on Unsplash