Can hardware security tokens protect small businesses from cyberattacks?
ALTHOUGH big enterprises such as Equifax and Sony are the most valuable targets for cyberattackers, the reality is that small businesses make up a significant portion of the economy and face a significant threat too.
To protect them, government organizations such as the US Department of Homeland Security and the Australian Cyber Security Center and private entities such as Mastercard and IBM provide free cybersecurity toolkits and resources — and all of them suggest using stronger passwords and basic security measures as a first step.
In fact, if experts are to be believed, it seems as though using a physical hardware security token such as a USB/Bluetooth/NFC device running a security framework such as the FIDO U2F provides a strong front-line defense to small businesses.
The mechanics of the device are quite simple. The hardware security token is first registered to a particular account, say your email or your CRM (services and vendors that accept these tokens provide detailed instructions on the process), and that’s it.
The next time, you can log in by simply inserting the key into the USB slot of your computer, or using wireless technologies such as Bluetooth or NFC.
To be fair, this isn’t a recent innovation — the hardware security token has been something that many organizations have been using or exploring for several years now. Implementation has been low thus far because the support for such keys wasn’t very strong.
However, in light of all the cybersecurity challenges companies face today, things seem to be changing in favor of these hardware security tokens.
When speaking about these keys, the level of security they offer is higher than the two-factor authentication that most service providers (social media account, bank, etc) currently offer — calling or texting the user a six-digit code on their registered mobile device.
Hardware security tokens are more secure than conventional two-factor authentication methods because unlike your phone that can be hacked, spoofed, or hijacked, the security token remains disconnected and offline.
These tokens got a lot of attention after Google announced, a few months ago, that its employees swear by the device and as a result, have been able to better secure their business accounts.
Google is also one of the only major companies that allow (all) users to secure their accounts with such tokens. Others who have joined in recent times include Facebook, Salesforce, and Paypal.
More recently, Microsoft announced that it too will be making it possible to secure devices running the Windows 10 operating system via hardware security tokens.
If you look closely, the reason adoption and implementation are rising (now) is that one particular framework, FIDO, is gaining a lot of support.
The organization paving the way for this is the FIDO Alliance, and it’s members include the UK Government, banks such as Chase and Wells Fargo, and hardware companies such as Samsung, NEC, and Huawei.
At the Mobile World Congress 2019, Google committed to securing Android devices via hardware security keys as well. That’s a big step forward for the millions of smartphones and tablet devices that access corporate networks every day.
However, for small businesses, with most of Google’s services already accepting such keys and Windows 10 allowing them to secure their devices with hardware security tokens, protecting themselves against cyberattacks should be easy — and become easier with more and more services jumping on the bandwagon.