Online security is a huge issue in this day and age. Hackers are constantly breaching accounts, stealing private information and leaving victims with little to no recourse to get their lives back on track.
Many organisations still treat account security as an afterthought, relying on traditional security measures like username and password as the primary defence for their users. While this was acceptable in a previous time, it’s no longer a viable way to protect user data.
Using Old Methods of Password Protection Is Not Enough
There are many ways cybercriminals are breaching online accounts and endangering the privacy of individuals and companies alike. You don’t want criminals stealing important data from your organisation. If a hacker gets hold of your account, they can do anything with it.
To begin with, you’d want to know the most common login security vulnerabilities:
- Default credentials: Accounts are either not set up with a unique password or have one created during the initial setup. This password is then stored in the system and accessed by multiple users, making it easier to hack.
- Brute-force attacks: This method involves guessing a password through trial and error. Attackers can use existing software or create their own to run through every possible combination till they find the right one.
- Internal breaches: Hackers can get access to an account by targeting employees or getting them to voluntarily supply them with login details.
- Malware: Attackers can make use of malware to get hold of login details from an infected computer or mobile device.
- Social engineering attack: This attack involves criminals tricking a user into sharing personal information. As an example, they can create emails that appear to be from the help desk or the support team of the service provider asking for more details to troubleshoot a problem.
- Unpatched vulnerabilities: Computer systems may not be properly updated with security patches and new versions of software. This makes them vulnerable to attacks that can take advantage of these holes in the system.
- Weak passwords: Weak passwords are created by using simple combinations of words or numbers. Even without using sophisticated engines, some hackers can easily guess these passwords and find their way into the system.
NetSuite Login: Consequences of Neglecting Security
If you do not secure your account properly, it can have serious repercussions on your business. You could potentially lose information that is sensitive or confidential to your company, which could lead to massive financial and non-financial losses.
Moreover, breaches of security can also cost you money in legal fees from class-action suits filed by those whose accounts have been hacked.
And with NetSuite being a business system that processes sensitive data such as financial information, you would want to make sure it is protected from hackers and cyber- attacks.
When assessing your security measures, you should ask yourself if it is capable of withstanding a determined and skilled cyber attacker. If it can’t, then you might want to consider employing the use of NetSuite login best practices that will give you the edge over hackers and other online criminals.
Recommended Reading: 23 Things FinanSys Can Do For You
Best NetSuite Login Security Practices That Users Should Follow
To help you avoid becoming a victim of these hackers, we’re going to discuss some of the best practices for keeping your NetSuite account secure.
Password length and complexity
The first and obvious practice is to use only strong passwords.
For secure NetSuite login, the password setups available in NetSuite are the Password Policy, Minimum PW Length, PW Expiration in Days as well as the 3 security questions.
NetSuite admins can set strict security settings that force account users to maximise the complexity of their passwords.
The longer and more complex the passwords are, the harder it is to crack with brute force, as this would take longer than randomly guessing shorter passwords.
Using complex passwords is not only a good deterrent from hackers but it can also keep your employees safe from anybody who might have a motive to access their NetSuite account without their consent. This is especially important for remote workers.
Use Two-Factor Authentication (2FA)
2FA is an extra layer of security that verifies the user’s identity by using two different factors. It is a great backup plan in case your password is ever stolen.
By default, NetSuite will automatically add two-factor authentication to all accounts with the “Administrator” role and to accounts defined as “Highly Privileged.” These are roles that have a lot of access within NetSuite.
But you can add a 2FA protection to any role that you see fit. Simply go to Setup>Users/Roles>Two-Factor Authentication Roles.
Take advantage of NetSuite’s password hashing
Password hashing is a technique that converts passwords into unique strings of characters that can’t be reversed. These hashes are then stored in the database instead of the actual password.
NetSuite has password hashing capabilities, which you can take advantage of to add an extra layer of security to your NetSuite account.
It uses cryptographically strong password hashes that cannot be reversed.
This technique ensures passwords are both secured in the database and aren’t required to be present in plain text during the execution of each transaction.
The hashing method applied will depend on the server that is hosting your NetSuite application.
Enable IP restrictions
NetSuite administrators can restrict access to the NetSuite account by IP address. This will help protect your account from unauthorised access from unknown devices and from restricted locations. This can be done on a company-wide or employee basis.
You can enable this by going to Setup> Company > Enable Features. There is a checkbox underneath the “Access” header for activating IP address protection.
Once you’ve done this, go to Setup > Company > Company Information. On there, you’ll find a field called “Allowed IP Addresses” under “Time Zone.” And that’s what to use.
Secure your NetSuite integrations
NetSuite can integrate with other systems. While that is great for a number of reasons, not every third-party application is as secure as NetSuite.
By providing these applications with your NetSuite permission, you’re also providing them with access to your NetSuite account.
The best practice here is to limit and restrict this kind of access as much as possible, especially for applications that you don’t trust. Limit them to performing specific tasks in your NetSuite application such as only sending mail or creating documents. Avoid giving them unlimited access by including various data access rights.
Know your NetSuite users and their roles
When you first get started with NetSuite, it’s likely that only the admin will have access to the application and its features. But as you roll NetSuite out across your company and as your company grows or changes, so should your security settings.
For example, if a new team member is added to the company, they should only have access to the things that they need. If a team member leaves or changes job positions, their administrative privileges should be removed so that somebody else can’t easily gain access to the account and its data.
You can see a list of users and their roles in “Setup” under “Users/Roles>Manage Users.”
Here you can also modify permissions for specific users. This is only visible to users with the correct permissions.
Out of the box for customers on NetSuite SuiteSuccess Financials First, there are 8-13 predefined roles available to assign users to.
Activate account lockout
Account lockout limits the number of failed login attempts as well as password reset attempts. After the limit is reached, the account gets locked for a specified time that can range from minutes to days.
You should properly configure the password lockout settings in your NetSuite setup to help counter brute-force attacks. This reduces the chances of an attacker guessing your password or a similar combination through trial and error.
By default, a user will be locked out for 30 minutes if they fail to enter their passwords correctly for 6 consecutive attempts.
Use and protect password recovery questions
Apart from your username and password, there are two other things you should never share with anyone. These are important secrets that could be used to assist hackers in obtaining your password through social engineering:
- Your password recovery question
- Your password recovery answer
Both of these can be used by hackers to reset your password. You should also change your password recovery question and answer every three months.
The first time someone logs in to NetSuite, they are prompted to choose and then answer 3 security questions. These answers are used to reset passwords or to verify identity when logged in from a new browser/computer.
Only sign in from the official NetSuite.com login every time
Because NetSuite is a cloud-based application, you can access it from different devices. However, if you use an unofficial login page to log in to your account then it’s easier for hackers to gain entry into your account.
Never use a NetSuite login page other than the one that’s hosted on https://netsuite.com.
NetSuite Login: Conclusion
You’ve worked hard to build your business, so it’s important to take the necessary steps and precautions to protect yourself from hackers.
These NetSuite login best practices should help you stay secure while also making sure that if someone does manage to find a way into your account, they can’t do any lasting damage.
If you’re not currently using NetSuite or want an expert opinion on how these tips will work for your company, give us a call today!