Despite the recent headline-grabbing proclamation from the man who created a ‘bible’ on password security that his advice was “wrong”, we are not giving up on passwords. They remain the most effective and user-friendly way for an individual or organisation to secure an account or service.
Words and letters of meaning are far easier to recall than numbers. This is why people frequently forget their pin codes, for example. And whilst biometrics have a role to play, they continue to be device- and endpoint-centric, whereas passwords are device-agnostic.
The best approach to security is multi-layered – taking full advantage of the spectrum of tools and best practices available. And until every application and system has moved off the password path, its critically important that we manage them appropriately.
Beware of the ‘domino effect’
It’s unlikely that you’ll have missed hearing about some of the more recent security breaches. HBO, Bupa and Amazon – to name a few. What about the older breaches? Surely we’ve moved out of the danger zone as a result of those more historic incidents. Wrong. Dropbox was breached over five years ago and nearly 70 million accounts were impacted. That’s not a small number. But what’s even more interesting – and we’ve been warning companies about this for a while – is that this breach was apparently tied to a different, also very high-profile, breach.
The Dropbox employee whose password was exploited in the breach originally had his password exposed in the famous LinkedIn breach in 2016. This illustrates an interesting ‘chaining’ or ‘domino effect’ that data breaches can have across multiple organisations. This is just the tip of the iceberg. Who knows how long until we hear about the next breach in the chain? Unfortunately, this has been accepted as the status quo – three in five organisations expect to be breached in 2017, with 29 percent believing they won’t even know they were breached when it happens.
People are still not managing their password security policies properly – whether they are unable to due to work or time pressures, or lack of access to cybersecurity training. Poor password hygiene is seen as an area of great risk, by as many as 25 percent of organisations.
For this reason, we have created a step-by-step guide for businesses to guide them through putting preventive measures in place to stop the ‘domino effect’ from taking hold.
- Say YES to regular updates
“Remind me tomorrow” is not an option you should continue to click, day-after-day on that critical software update notification. Ignoring updates is something everyone has probably done. We all lead busy lives, with an abundance of emails and notifications clamouring for our attention daily. And you may believe that you are too busy to wait for your phone or computer to reboot, and then once it’s back up and running you might have to log back into your accounts. But the reason for software updates is not always to give you shiny new features, but rather to fix issues you can’t see that make your information vulnerable. A weakness in the software you’re using is a weakness in security.
- Take advantage of multi-factor authentication systems
Multifactor authentication (MFA) is a security system that requires at least two methods of authentication to verify the user’s identity for a login or other transaction. It has the benefit of balancing security with user convenience by combining something you have – like a mobile phone – with something you know – the name of your first pet or school teacher. Sites like Google and PayPal offer these services. The result is ultimately to increase assurance that the right person is gaining access and is becoming an increasingly common method of security control. There is also the added option of verifying changes to high-risk user information through a phone call, text or email.
- Refresh passwords (and make them strong)
Everyone has multiple accounts, from email to bank accounts and social media, so it’s not unreasonable that most people end up using the same passwords across sites. Our research shows that as many as 65 per cent of people do. This is alarming for obvious reasons, especially given how many hackers have turned their attention to actively exploiting the human vector. In addition to making sure your passwords are strong, you should update them periodically as well. Some sites recommend or even require that you change your password when they sense a security threat or when a breach has happened. Others rely strictly on your initiative. Implement your own good governance and refresh your passwords as often as practically possible to ensure you don’t fall foul of the domino effect.
- Always wear your security hat
People are an organization’s biggest security threat. Social engineering and human error have been the cause of many major breaches. Always be aware of where you are on the Internet and take specific note of anything and anybody that asks you to ‘login’ or provide any ‘secrets’ or personal information. Look out for HTTPS-enabled websites in your browser’s address bar. If you don’t see a little lock next to the URL, be aware that it’s not secure.
- Manage access and identity
Protecting identity is key: to the safety of our personal data, the security of sensitive company data and to the safety of sensitive data elsewhere in the organization that may not even be linked to you. Understand who has access to what, what they’re doing with that access, and manage that access throughout each users’ lifecycle. Do this and you’ll be on your way to smarter, stronger, and more proactive identity and access management, as well as a better overall IT security posture within your organization.