How Poor Password Hygiene Could Unravel Your Business

Uploaded on 2022-11-28 in TECHNOLOGY--Resilience, FREE TO VIEW

Passwords have been the keys to the kingdom for over 50 years, guarding the most sensitive data an organisation has. Yet despite their intrinsic value, they are one of the most overlooked forms of security, with more than 23 million people using ‘123456’ to protect their accounts.

More alarming is the fact that this year, ‘password’ was the most used phrase in the UK, according to NordPass. It is no wonder then that 90% of internet users are worried about their password being hacked. 

These statistic should be keeping business owners up at night, especially because 51% of users have the same passwords for work and personal accounts. The question is, where does the blame lie when a weak password leads to a breach? Is it down to the individual to take personal responsibility, or do we need to apply pressure on companies to introduce more robust authentication methods? In my opinion, the answer is all the above.

Why Passwords Are The Weakest Link

The average person has 100 passwords to remember. It is no surprise that many suffer from “password overload” due to the sheer number of online services and applications they use, both work-related and personal. Add in the need to generate complex passwords with characters and symbols, and the human brain will seek the path of least resistance, which often results in poor password practices. 

All it takes is for a single employee to have one account hacked, and a threat actor could potentially access every application they use, including professional collaboration tools such as Teams, Slack and Outlook. This could result in the leak of customer data, costly ransom demands or fines, or a complete loss of customer trust that can be difficult to regain. 

The impact of a breach could be even more harmful if it happens to someone with a higher level of permissions than other employees. In that case, cybercriminals could maneuver their way into the network almost unchallenged and create widespread damage.

If you are in an executive role, then it is especially important that you take proactive steps to combat password theft and credential exposure. Here are some of the ways you can strengthen password security protocols, and the actional steps that can be implemented for an immediate impact.

Remove Reliance On Passwords

Executives need to enact and enforce good cybersecurity practices. The best way to do that is to reduce the reliance you have on passwords alone. This means organisations need to adopt other authentication methods to reduce the chances of becoming overwhelmed. For example, by combining multiple account protection solutions such as two factor authentication apps with biometrics, you will lower the chances of a successful attack while at the same time, helping to improve the overall security posture in your organisation.

Businesses could also consider using Single Sign-On (SSO), which allows a user to authenticate themselves on multiple, separate platforms via a single ID. This solution negates the need for several different passwords. There is an element of risk, but by combining SSO with multi-factor authentication you can add a second layer of protection.

Other Ways To Make An Impact

Improving your password hygiene does not have to be complicated, but it does need to be implemented now to minimise the chances of an attack. There are actions that can be taken to help companies address the widespread problem of insecure passwords: 

Implement an account monitoring solution:   You can only protect what you can see, so it’s important that you have visibility of all accounts that have been compromised by an attack. Otherwise, how are you going to make improvements to stop an attack from happening again? This is why you need to review the default account settings and turn on features like locking an account after certain attempts. You don’t want an attacker to have unlimited time or an unlimited number of login attempts, allowing them to force their way into your organisation.

Protect against phishing attacks:   When asked about the impact of successful phishing attacks, 52% of security leaders said that they had experienced credential compromise. In light of this, what organisations should be asking themselves is ‘how did my email security allow this phishing email through?’ ‘Is it effective at blocking and preventing these carefully crafted emails?’ If not, then you need to invest in technology that will stop malicious emails from reaching the mailbox in the first place. The second step is to look for a solution that prevents a user from inputting their credentials into a phishing website. These solutions exist, it’s just a matter of investment and adoption.

Use a password manager:   Sometimes having a password is a mandatory requirement, so you cannot rely on other authentication methods alone. Conduct an evaluation to decide if a password manager would be appropriate for your organisation. Password managers have several benefits. They allow your employees to securely store credentials, generate unique passwords and they can auto-complete fields on websites. This removes the reliance on remembering hundreds of passwords or writing them down for anyone to see. 

The Takeaway

In the current cyber landscape, an attack is inevitable. However, preventing an attack is possible with the right combination of technologies and security protocols.

Put simply, action must be taken now to keep your accounts safe. Given that poor password hygiene and the resulting impact can damage an organisation’s reputation beyond repair, companies need to treat this situation with the level of seriousness it demands.

Muhammad Yahya Patel is a Security Engineer and member of the Office of the CTO at Check Point

You Might Also Read:

The Reality Check For Small & Medium Businesses:

 

« Guilty: A Criminal Conviction For One CISO Has Consequence For Others
Privileged & Protected - Managing Access At The Endpoint »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ISTQB

ISTQB

ISTQB has defined the "ISTQB Certified Tester" scheme that has become the world-wide leader in the certification of competences in software testing.

Apicrypt

Apicrypt

Apicrypt enables secure communications between health professionals by using strong encryption technologies.

Verint Systems

Verint Systems

Verint is a leader in CX automation. The world’s most iconic brands rely on our open platform and team of AI-powered bots to create tangible AI business outcomes, now.

Networkers

Networkers

Networkers is a global recruitment consultancy helping unite job-seekers and hiring companies across the technology industry.

Ingalls Information Security

Ingalls Information Security

Ingalls Information Security provides network security, monitoring and forensics.

Slovak National Accreditation Service (SNAS)

Slovak National Accreditation Service (SNAS)

SNAS is the national accreditation body for Slovakia. The directory of members provides details of organisations offering certification services for ISO 27001.

Orca Security

Orca Security

Orca Security delivers full stack visibility including prioritized alerts to vulnerabilities, compromises, misconfigurations, and more across your entire inventory on all your cloud accounts.

Liongard

Liongard

Liongard automates the management and protection of modern IT environments at scale for IT MSPs - Managed Service Providers and Enterprise IT Operations.

Sovereign Intelligence

Sovereign Intelligence

Sovereign Intelligence provides automated insight into the relative intensity of hidden Cyber, Brand, and Financial Risks to your company.

Navixia

Navixia

As a leading Swiss IT security specialist, Navixia offers a global and pragmatic approach to information security.

TechDemocracy

TechDemocracy

TechDemocracy are a trusted, global cyber risk assurance solutions provider whose DNA is rooted in cyber advisory, managed and implementation services.

North East Business Resilience Centre (NEBRC)

North East Business Resilience Centre (NEBRC)

The North East Business Resilience Centre is a non-profit organisation here to support businesses in the North East of England in protecting themselves from cyber crimes and fraud.

TWC IT Solutions

TWC IT Solutions

Since 2011, TWC IT Solutions has offered managed IT Support, Cybersecurity, Disaster Recovery, Contact Centre and Business Connectivity services to clients across 24 countries globally.

Opora

Opora

Opora is the leading cybersecurity provider of adversary behavior analytics “ABA” and preemptive security solutions.

Josef Ressel Centre for Intelligent & Secure Industrial Automation

Josef Ressel Centre for Intelligent & Secure Industrial Automation

The Josef Ressel Centre for Intelligent and Secure Industrial Automation investigates the fundamentals of digital assistants for industrial machines that enable intelligent and secure operation.

NopalCyber

NopalCyber

NopalCyber makes cybersecurity manageable, affordable, reliable, and powerful for companies that need to be resilient and compliant.