No doubt you have come across this – sometimes call 2FA or MFA. Basically, what it means is that when you log into an app or a website you have to authorise that log-in by doing something else such as entering a 6 digit code, which is sent via a text to a mobile, click on an app on your phone that will verify your identity.
So far so good. And on the whole MFA is the way to go. It is part of your Cyber-Security protocols as well as those of your provider. But have you got these systems sufficiently tight?
Who has access to your accounts and where does that MFA go? What happens when a team member leaves your employ? Do you even know what apps and sites they have access to and the MFA they are using?
If you run a business, you will be aware that HMRC encourages everything to be done online. VAT has already gone down the Making Tax Digital (MTD) route and Income tax is set to follow. But how do you link to the accounts? If you use an App such as Xero, QuickBooks or Sage, your software will be connected, but you will need a Government Gateway and password, and, yes, you’ve guessed it -MFA.
A recent example is where a company uses Xero and the VAT is done through MTD. The in-house accountant set up the Government Gateway (GG) and used MFA. The code was sent to his personal mobile. The accountant is no longer with the firm and now the director is struggling to access the GG because they don’t have access to the mobile. It is possible to get around this, but you have to ring HMRC and sit on the phone for however long it takes for them to get to answer (30 minutes+ is not unusual). Added to that, the fact remains that the ex-employee continues to have access to the account and could do untold damage to the company.
HMRC is just one example. How many other apps and sites a person has access should be documented.
What this tells us is that Cyber-Security is crucial (we all know that) but even when it is implemented we must ensure we know who has the access and avoid the use of personal mobiles for that MFA. If that cannot be avoided, make sure you know who is using this method and have a documented (but secure) system. We all know team members leave, sometimes they are dismissed, made redundant, become ill or die. It is vital that you have a system in place to retrieve the information in the event a team member is no longer with you.
Possible options maybe a central tablet/phone if you are in the office, but of course many work from home now. In that scenario either a work mobile should be issued or MFA be set up with a code going to an e-mail address rather than a mobile number. This is a bit slower, but secure systems are more important than a minute or two lost hither and thither.
I am sure if you have read to the end of this, your thoughts are “but this is such a pain”. Yes, it is! But not half as bad has having to retrieve the information when the person concerned is not around, sabotaged your data or just made it impossible for you to access.