According to figures from the UK government, 39% of businesses have experienced a cyber security breach in the last year. The effects of a cyber attack can be devastating, posing not only a risk to your business, but also to your brand – and it’s set to grow as we operate in an increasingly online world.
The global impact of COVID-19 and its implications for businesses (such as remote working) has led to a rise in attacks. But the truth is, cyber criminals don’t generally target individuals or businesses – they target weaknesses.
At Xero, we have a responsibility to protect our customers’ data and help them keep their information safe. We don’t just tick the boxes when it comes to security – we go above and beyond to make sure Xero is the most trusted platform for small businesses.
That’s why we’ve introduced multi-factor authentication (MFA) for all Xero subscribers globally. There are some misconceptions about how MFA works, so here are six important things to know.
1. Why do I need MFA?
The more factors required to gain access to a system or account, the more secure it is. MFA means you have to present several pieces of evidence to gain access to a system. It requires at least two factors, and each needs to be different.
The first is something you know (such as a password or an answer to security questions) and the second is something you have (such as an app on a mobile device). Sophisticated hackers might be able to gain access to passwords and security questions, but it’s much harder for them to gain access to a device you physically have. That’s why MFA is so important.
2. I don’t use MFA on my other accounts, so why Xero?
Just as one easily guessed password can stop your business in its tracks, MFA is that extra lock on the door keeping you protected when it counts. MFA is already widely viewed as one of the most effective security measures available, so it’s likely you’ll start to see more of your accounts introduce it.
If an online thief steals your passwords, they could lock you out of your accounts – and that’s just the start. They could also read sensitive emails, delete your contacts, send unwanted or harmful messages, or take steps to change your bank account details. It’s a good idea to set up MFA on all your accounts, including email and social media.
3. What if I don’t have time to set it up?
Setting up MFA should only take five minutes and you just need to do it once. Think of it as a small investment in your business. To help streamline the process, we’ve created this handy set-up video to guide you through.
Xero Verify is free to download and is the only app that sends you a push notification for your Xero account. This is a pop-up notification that is sent to your mobile device. It confirms that it’s you who is trying to log in. You simply tap a button to approve or deny access. Push notifications mean you don’t have to enter a six-digit code, and it only takes a few seconds.
4. Why does the Xero Verify app keep generating codes?
This is to make sure you can always gain access to your Xero account. For example, if you are not in a wifi-enabled location or your wifi connection is bad, you will struggle to connect to any of your apps which could mean you don’t receive a push notification from your Xero Verify app. In this case, you can still access Xero using the six-digit code Xero Verify generates instead.
The reason this code updates to a new one every 30 seconds (before you enter it) is for security reasons. It means someone can’t access your account with an old code. This is another feature to help keep your account and data secure.
5. Do I have to use a smartphone?
We know small businesses have different processes and technology, and one size doesn’t always fit all. If you don’t use smartphones or would prefer not to, that’s not a problem. Using a smartphone will offer the most seamless process, but you can also use the Authy desktop authenticator.
You also have options about which authenticator you use. We developed the Xero Verify app, which is being used by hundreds of thousands of small businesses and accountants already, but you can choose to use a different authentication app if you’d prefer.
No matter which option you use, you’ll only need to download the app once.
6. What if I currently share my login details with someone else?
Sharing credentials can seem convenient, for example, when staff are on leave or in a job sharing situation. However, it can significantly increase your risk and remove accountability, which is why we strongly recommend against it.
It’s the first rule of security: Never share your passwords with anyone. Not even your boss, accountant or bookkeeper. No-one. With Xero, there are no limits on the number of users you can invite into an organisation or client file. We suggest inviting new users instead of sharing your login credentials. This keeps everyone secure.
For accountants and bookkeepers, these resources will help you keep your Xero account safe and manage clients for practice staff in Xero HQ. For small business customers, you can add a new user to your organisation so there’s an audit trail of access and data changes.
As always, our team is here to help make it as easy as possible for you to stay safe and secure. You can also take a look at our frequently asked questions for more details.