Why you should use a security key to secure your Google Workspace account.

Here is a question for all the small business owners out there! What is your most valuable business asset that is irreplaceable? The answer is your data, your emails, your documents and spreadsheets, videos and images. If these get destroyed by ransomware, hours of work has been lost. Or leaked on the public web, everyone can trawl through your businesses data and you have a major data breach and fine to tell the ICO.

The most common method for data to be destroyed or leaked is not by a cybercriminal hacking into your software or hardware; it is one of your team members getting tricked into sharing their login credentials.

The typical attack method to trick an employee into sharing their login details is through a fake email (phishing). The email will come from someone they know (who's already been hacked); the email will usually say a document has been shared with them and click to access the file. They will then get taking to a fake login page, which will look genuine to the untrained eye; they will enter their login details which get sent to the attacker. 

Digit based two-step verification will and won't protect you

To protect your team from these attacks described above, you must turn on two-step verification where ever you are allowed. With two step-verification, not only do you have to enter your username and password to access Google Workspace, but you also have to enter a random bit of information (typically a six-digit number, sent by text or shown on an app on your phone) generated at the time of login. 

The idea behind two-step verification is that even if the attacker knows your username and password, they won't know or be able to generate the six-digit number needed to verify they really are the person login in. However, it is also possible to trick someone into revealing the additional code required to access the account with social engineering or technical manipulation.

A security key is the best way to protect your business data

Since Google introduced security keys to protect Google Workspace accounts in 2018, there has not been a single reported instance of an account being compromised through phishing. 

When you use a security key after entering your username and password, you need to enter your key into your computers USB port and tap the key. This will then authenticate you and grant you access to your account. 

Unlike text or app-based 2 step verification, there is no code to enter. So it is not possible to manipulate someone into revealing the code needed to be entered, as they don't know the code - it is all in the security key and not exposed to anyone. 

The only way an attacker could break into the account would be to gain possession of the key. That will probably only happen if a nation-state is going to attack your business (then, you probably have more significant issues to worry about, such as employee kidnapping). 

A typically cyber-criminal wants an easy target that won't take much time to attack. If you issue and deploy security keys to your team to protect their Google Workspace accounts, you will have made your business hard, time-consuming and expensive to attack. It will be ignored by cyber-criminals who will find other companies with weaker security levels to attack.

Are you worried that your small business is not as secure as it should be?

Many IT firms will use dark web scan scams to scare you into more security than you need. At Kimbley IT, we belives a few simple tweaks here and there can significantly upgrade your security. So that your business becomes a right "pain in the arse" for a criminal that they go elsewhere to an easier target. Book a video call below to have a chat.