If you are a board member responsible for IT then no doubt both data and user security will be on your agenda for 2020. By introducing a more robust IT log on, you can protect your users while reducing the risks of hacking or data theft. Keeping on top of IT security is essential for every IT Director but if you are not from a technical IT background, do you know where to start?
At BDO our team have extensive experience supporting IT decision makers to assess their requirements and deliver effective solutions. In this article we are sharing our knowledge of MFA and Payment Services Directive (PSD2) to provide you with summary information to allow you to start planning your project.
What Is PSD2
The new EU Payment Services Directive (PSD2) is now rolling out across the UK. PSD2 is designed to increase the security of electronic payments and reduce online fraud. Even if your business doesn’t take online payments, the foundations of PSD2 can help to make your data more secure.
Here’s what you need to know to ensure your business is ready.
What’s required and by when?
Multi-Factor Authentication, or MFA, is at the heart of PSD2. To comply, your company will need to update its online payment process to include at least two of the following authentications:
- Something you know (usually a password)
- Something you have (a trusted device, like a phone)
- Something you are (biometric information, like a fingerprint)
This layered approach means that even if a user’s password or card details are compromised, the information is useless without access to the second authentication step. You will probably already be familiar with MFA, as many banks have implemented it ahead of the PSD2 deadline, calling it Strong Customer Authentication (SCA). Your business banking provider may supply you with a dongle for the ‘something you have’ element, or a fingerprint reader for the ‘something you are’ element.
For online banking, the changes must be completed by 14 March 2020. For online shopping, the card issuers, payment firms and all businesses that take online payments have until March 2021 to implement the framework. If your team is not yet working towards compliance, then they need to be thinking about it now.
How else can Multi-Factor Authentication help?
In addition to PSD2, in a world of remote working, cloud collaboration and an expanding digital inventory, your company’s data is at an increasing risk from online attack. Whenever passwords are used as the only authentication method, there is always a chance of a security breach. A brute force attack can generate billions of passwords per second. Even if access is blocked after three unsuccessful attempts, it is useless when an attacker gains access to your systems without detection. And where there’s a password, there’s a password database. Encrypted or not, given enough time, a captured password database will be cracked.
That’s why you should consider implementing MFA for your cloud services and whenever an employee connects to a service over the internet. This could be as simple as:
- Entering a one-time password (OTP) sent by the server to a phone or email address
- Swiping a card and entering a PIN
- Swiping a card and scanning a fingerprint
- Connecting a USB dongle to generate an OTP
This additional layer of security is relatively straightforward to implement. Many applications even come with the technology built in. For example, if your company uses Microsoft 365 Business or standalone Office 365 licenses, then you’re already entitled to a free version of Azure multi-factor authentication as part of your subscription. And to make implementation as hassle-free as possible, conditional access options allow you to exclude specific employees from MFA verification. You can even bypass MFA for all users when they sign in from a secure trusted network location.
Putting it all together
If you are the board member in charge of IT, you should explore the ways in which MFA can help keep your data secure, whether PSD2 affects your business or not. And if you take payments online, your team needs to implement the necessary measures by March 2021 or transactions will be declined. Perhaps also reconsider the services you use which only allow for single-factor authentication. Are they mission-critical? What level of security risk do they carry? Designate someone to revisit your digital security strategy and use the information to develop a framework for compliance and control. It is these elements that will help to protect your future business performance.
The BDO difference
Here at BDO, we understand the challenges that the non-technical board member faces when they become responsible for IT. Our Technology Advisory Service (TAS) team has an extensive hands-on track record of delivering strategic, operational and technical IT advisory services. We’ve developed our services with the non-technical board director in mind and we provide management and support services to suit each client’s needs.
Get in touch to find out more about our practical independent advice and IT support services.
You can discover more about our IT Support for business here.