The weakest link: Why security is everyone’s responsibility

For many of us, the internet is not just an intrinsic part of our lives, it’s integral to how we do business. It enables businesses to connect to global markets and complete transactions in minutes.  

As we take advantage of the opportunities the internet has to offer, online security becomes a priority. For Xero partners and customers, and anyone who operates online, this means being vigilant about keeping sensitive data and information secure from hackers and cybercriminals – just as you’d keep your home or your car safe by locking it.

Statistics from online security software vendor Norton show that 978 million people in 20 countries were affected by cybercrime in 2017. In New Zealand and Australia, one in four small businesses experienced a cyber attack or hacking attempt. It’s an unfortunate fact that the impact of cybercrime is a reality for all businesses. We continually remind all of our customers – small businesses, accountants and bookkeepers – to take precautions to keep their data safe from hackers.

As the head of security at Xero, I see security threats from cyber attacks and hacking almost daily. Our security teams identify patterns of malicious activity and take the appropriate steps to notify users and guide them through safeguarding their accounts. Protecting our platform against cyber attacks is a top priority, and we partner with leading security vendors to ensure our systems are as robust as possible.

However, a system is only as good as the weakest link in the chain. Security needs to be strong on all fronts and it’s important that our small businesses and advisors are committed to protecting themselves and their customers from attacks. As a business, it’s your responsibility to safeguard not only your own information but, more importantly, the sensitive data that your customers and employees have entrusted you with. By keeping informed about cybersecurity and instilling the importance of security practices throughout your business, together we can build a stronger, more secure online community.

Here are some simple, easy-to-implement steps that will help you better protect your information and that of your clients online.

Have strong, unique passwords

I cannot stress the importance of strong passwords enough. Over 80% of breaches occur due to stolen or weak passwords. Always use a strong, unique password for each site you log in to. While this may seem extreme, particularly in an age of multiple logins, different passwords will help prevent a compromise of one login becoming a compromise of many. You can use password manager software to help you use your multiple logins, and to generate strong passwords for you. Password manager software securely stores all of your usernames and passwords, on your desktop or in the cloud, so you just need to remember the password for your password manager. We also advise that you clearly communicate the importance of good password practices to your staff, in particular that sharing passwords and reusing personal passwords (eg, for social media sites) is not acceptable.

Use two-step authentication

2SA or two-step authentication equates to having that extra deadbolt on the door. 2SA works by having two layers of security: first you enter your existing password, then another verification code is generated by an app on your smart device. Having 2SA enabled for your Xero account significantly reduces the risk of account takeover, because stealing your password isn’t enough to get access.

Xero’s 2SA allows you to select a “Remember me for 30 days” checkbox when using a device you’ll repeatedly use to access Xero. With this option enabled, you only have to enter the authentication code from your app on that device once every 30 days.

We’re also making it easier to access Xero if you lose your smart device and don’t have the authentication code. You can specify an alternate email address when you set up 2SA to provide a fallback option if your authenticator app isn’t available. You’ll be able to recover access to your Xero account by having a single use authentication code sent to your alternate email address.        

2SA (or 2FA, MFA or 2SV) is also important for your email account, which is generally how you reset the passwords for your online services. A compromised email account can also result in invoice fraud, with invoices sent and received by email being maliciously updated with fraudulent payment account details.  

Visit Xero Central for more information about 2SA in Xero.

Update your software

Security threats are changing all the time and new software vulnerabilities are identified every day. Keeping your operating system and applications up to date is your first line of defence.  Many attacks, such as last year’s Wannacry ransomware, exploit a known software vulnerability that could have been patched. Set your system preferences to update automatically and delete applications you don’t use.

Having up-to-date anti-malware (anti-virus software) is another simple but effective way to protect yourself. Anti-malware will scan your attachments and downloads as you use them and alert you to any malicious software detected. Make sure your anti-malware is updated regularly so it’s able to detect new viruses, trojans, ransomware, and the like.

Backup your local data

Xero, like most cloud services, ensures your data is backed up and available at all times. But most businesses and individuals have data stored locally on their devices too. It’s important that you also backup this data to make sure it remains available when you need it.

While computer hardware is pretty reliable these days, failures still happen. Then there are malicious acts such as theft and ransomware, and accidents and disasters that can prevent access to your data. You need to store copies of your backups at a different site from the source systems so a local disaster doesn’t destroy the backups along with the original data. Cloud backup services can address this need and make your data available from anywhere with an internet connection.

How often you backup your data will depend on its value and how frequently it changes.  Norton’s 2017 SMB Cyber Security Survey found that more than a third of Australian business operators believed they wouldn’t last a week without access to their critical business data.

Security is of the utmost importance for Xero and like every other online business we have to be constantly vigilant about phishing attacks and account takeovers. We’re all responsible for using security procedures and continually investing in online security. As an online community we need to work together to make sure we’re all protecting one another and keeping our data safe from cyber criminals.

For more information visit Xero’s security page, get updates on the latest security issues on Xero’s security noticeboard or forward suspicious, Xero branded emails to

The post The weakest link: Why security is everyone’s responsibility appeared first on Xero Blog.