Best Practice Guide for SME IT Part 1: People

by Rupert Davey
March 2020


This is a critical concept when it comes to your IT systems.

How can we be sure of a person’s identity?

Each person, each user of the IT systems, has an identity for one or more systems and herein is one of our first common problems: Each person has several identities as far as the IT systems are concerned and this is a problem if it's left unchecked.

Typically, a person, a user, is identified by the system using two things:

  1. Username
  2. Password

The system asks the user for their username which anyone can know, guess or figure out. Then the user provide proof it’s them by asking for something only they know: the password.

This is called user authentication and because the username is common knowledge, the password is the single factor of authentication.

Each person has a username, an identity, for each system! To access a system, their email, LinkedIn, Sage 50 Accounts, SAP, the wireless network, they use different identities.

The first problem

If someone gets or guesses your password, they can access one of these systems, or maybe more if the user has reused their password.

Top tip: ask the user for something in addition to their password, a second method of authentication.

This extra step and bit of authentication is abbreviated to 2FA for two-factor authentication or MFA for multi-factor authentication. The difference being that Microsoft et al offers text messages, app codes, phone calls as the extra step. This is the “multi” part. A system that only offers text message is the “two” part.

A while back I wrote an article on Multi Factor Authentication. This is well worth a read!

The real trick here is to put this extra authentication step, not behind yet another password or PIN on your phone but link it to biometrics – Face ID on your Apple device for example. The bad guys need your username, password and face to log in!

This extra method of authentication on your phone is something you have, plus something you are, your face!

You can manage your extra authentication using Microsoft Authenticator or Google Authenticator and can further reduce the number of attack and management points but taking our next top tip.

Top tip: Don’t be afraid to press ahead and engage your staff on this topic.

IT security matters. Lead from the top and set the example.

We often hear that senior people are so senior they don’t have any important data in their email, on their OneDrive for Business accounts, or on their laptops. That’s not the point. Once the bad guys have compromised that senior person’s identity, they can move laterally within the business as that person. Plus, they will have data in those locations that will be of value.

We also hear that staff don’t want the company to have their phone numbers or install an app on their personal phones. The Google and Microsoft authenticator apps can be used for your Facebook accounts too and your company Xero account. Oh, and your Amazon account shopping, your personal DropBox account and a million other sites!

My final recommendation

Top Tip: wherever possible minimise the number of identities per person.

This is one for your IT people but as a decision maker, you can mandate this: Do as much as possible with as little as possible and consolidate your user accounts.

If you’re using a server and Office 365, a good first step is linking them using Microsoft ADConnect.

Instead of logging into my.ctm with a username and password, use your Microsoft Account.

Further reading