Passwords have been the keys to the kingdom for over 50 years, protecting the most sensitive data an organization has. Yet despite their intrinsic value, they are one of the most overlooked forms of security. As the data shared by DataProt shows, more than 23 million people currently use “123456” to protect their accounts, with a somewhat surprising 90% of internet users worried that their password could be compromised.
These statistics should keep employers on their toes, especially since they point to 51% of users having the same passwords for work and personal accounts. The question is, where does the liability lie when a weak password leads to a security breach? Is it up to a single individual to take personal responsibility, or do we need to push companies to introduce stronger authentication methods? In my opinion the answer is: all of the above.
Why passwords are the weakest link
If we take into account that the average user has 100 passwords to remember, according to the data from this same study, it is not surprising that many suffer from “password overload”, especially due to the large number of online services and applications that are used, both work-related and personal. Something that, added to the need for them to be complex with characters and symbols, makes the human brain look for simpler shortcuts, which often results in bad practices when it comes to creating and managing passwords.
Really all it takes is for a single employee to experience a security breach in one of their accounts, and a cybercriminal could gain access to all the apps they use, including professional collaboration tools like Teams, Slack, and Outlook. This could result in a massive data breach, expensive ransom demands or fines, or a complete loss of customer trust, which can be difficult to win back. Its impact could be even more damaging if it happens to someone with a higher level of permissions than other employees. In that case, cybercriminals could make their way into the network almost unopposed, and create widespread damage.
When it comes to accessing executive-level employee data, it’s especially important to take proactive steps to combat password theft and exposure. With so many attempted attacks looming over us, it is imperative to strengthen security protocols and action steps that can all be implemented for immediate impact.
Eliminate dependency on passwords
Businesses should enact and enforce good cybersecurity practices. The best way to do this is to reduce the current reliance on passwords. This means that organizations must adopt other authentication methods to reduce the chances of a security breach. For example, combining multiple account protection solutions, such as two-factor authentication apps, with biometrics will reduce the chances of a successful attack while helping to improve your overall security posture.
Companies could also consider using single sign-on (SSO), which allows a user to authenticate to multiple, separate platforms through a single ID. This solution eliminates the need for several different passwords. There is an element of risk here though, by combining SSO with multi-factor authentication, which in the case of doing so can add a second layer of protection.
Other ways to make an impact
Improving these practices doesn’t have to be complicated, but it does need to be implemented now to minimize the chances of a future attack. There are actions that can be taken to help businesses address the pervasive problem of weak passwords.
The implementation of an account monitoring solution can help cover one of the most important premises. And it is that you can only protect what you can see, so it is important that you have visibility of all the accounts that have been compromised by an attack. If not, how are you going to make improvements to prevent an attack from happening again? That’s why it’s imperative to review default account settings and turn on features like locking an account after certain attempts. You don’t want an attacker to have unlimited time or number of login attempts, which could allow them to break into your organization.
When asked about the impact of successful phishing attacks, 52% of security leaders said they had experienced a credential compromise. In light of this, what organizations should be asking is “how did my email security allow this phishing email?” “Is it effective in blocking and preventing these carefully crafted emails?” If not, then you need to invest in technology that prevents malicious emails from reaching the mailbox in the first place. The second step is to find a solution that will prevent a user from entering her credentials on a phishing web page. These solutions exist, it’s just a matter of investment and adoption.
On the other hand, most of the time having a password is a mandatory requirement, so you cannot rely on other authentication methods alone. An evaluation must be done to decide if a password manager would be appropriate for an organization. Password managers have several benefits. They allow your employees to securely store credentials, generate unique passwords, and can auto-fill fields on websites. This eliminates the dependency on remembering hundreds of passwords or writing them down for anyone to see.
In closing, it is essential to say that, in today’s digital landscape, an attack is inevitable. However, preventing it is possible with the right combination of security technologies and protocols. Simply put, steps must be taken now to keep your accounts secure. Since bad password practices and the resulting impact can damage a company’s reputation beyond repair, companies must treat this situation with the level of seriousness it demands.
Signed: Mario García, general manager of Check Point Software for Spain and Portugal
