Despite the uncertainties businesses face, first posed by COVID and then by Brexit, organisations must not become complacent with their online security, especially their passwords. Recent attacks on British firms show there is a pressing need for strong identity access management and password controls.
Phishing and other social engineering attacks increased rapidly during 2020. The UK government’s HMRC, for example, said the number of reports it had received about phishing attacks had increased by a massive 73% in the first six months of the pandemic, with many of these attacks ‘Covid-themed’, playing on people’s fears and uncertainties. According to Digital Shadows, there are currently over 15 billion credentials for sale on the dark web, exposing accounts across public, private and social networks, and making it imperative that businesses follow basic steps to add rigour to their organisational security and password hygiene.
Below, we break down five key tips to better businesses password security in a period of uncertainty.
1. Regularly audit your passwords
Passwords are now used everywhere. They are a simple way to gatekeep access to valuables so access is only possible to those who have the right to do so. However, just like a physical key, a password can be taken and used by someone without that right.
It is the business’ role to ensure employees recognise the importance of using unique or random passwords for every account. Providing formal staff training on password best practice is important to ensure passwords are strong and secure.
As such, it’s vital that employers regularly audit employee passwords to ensure they are strong and not found in dark web data breaches. Recalling passwords can often be viewed as a chore, which makes it more likely that employees will recycle or slightly alter existing ones to meet corporate policies.
How to boost internal cyber security training
This article will explore how organisations can boost their cyber security training initiatives to ensure staff are sufficiently equipped with the right skills. Read here
2. Empower employees to change their passwords
A unique password for each site and account is important. This reduces the chance of multiple logins being compromised in the event of a breach.
As an employer, it is a business responsibility to regularly monitor and enforce password changes. Leading bodies such as the NCSC now recommend that much-used ‘Password expiration’ policies should now be scrapped in favour of a more regular, proactive approach focused on real-time security network monitoring. This change to a more rigorous, real-time approach reduces the chances of hacker’s monitoring systems taking advantage of regular ‘scheduled’ password changes.
3. Multi-factor authentication
Multi-factor authentication has fast become a standard for managing access to organisational resources. As well as usernames and passwords, users have to confirm their identity using further forms of authentication.
This additional form of authentication adds another layer of security to your organisation and might take the form of a one-time code sent to your mobile, or biometric identification.
In the event of a breach, those leveraging stolen credentials will not be able to access your businesses files without also having access to further means of authentication.
Could social media networks pave the way towards stronger authentication?
John Gilbert, general manager UK&I at Yubico, discusses whether social media networks could pave the way towards stronger authentication. Read here
4. Don’t make it personal
Employees should avoid using personal information when creating a password. It is natural to look for inspiration for a password in your everyday life, but this only increases the likelihood of hackers guessing your password.
The strongest passwords are a mix of letters, numbers and special characters with no relation to the user’s personal information. Businesses should request that all employees create strong, impersonal passwords as a way of bolstering their data security.
5. Use a password manager
Business users just need to know the basics: that password security is the first line of defense against breaches. Strong passwords are great, but won’t help if the cyber criminal has already discovered that password.
Enterprises can use a password manager that automatically generates unique, high-strength, random passwords for your sites and apps and stores them in a personal, encrypted digital vault that you can access from any device, running any operating system. Without a password manager, employees will end up using recycled passwords more often, and will forget certain passwords. A password manager is the protection you need to keep private information safe from cyber criminals.
Ensuring businesses remain secure when it comes to password security falls on the shoulders of both decision makers and each individual employee. However, without implementing the right habits for password security, businesses are leaving themselves exposed to breaches and intrusions.
Integrating a password management system into cyber security systems, alongside implementing the steps outlined above will go a considerable way to preventing breaches.