As password protection is as dominant a subject as ever in the cybersecurity space, we asked industry experts how they would advise staying secure in a password-driven society, particularly as COVID-19 has meant a spike in cyberattacks.
Passwords: so simple, yet so effective. They have been regularly used for so many years that it’s hard to imagine an alternative for them. And it’s only more recently that technologies like fingerprint ID have even created an alternative.
Although there is a very strong temptation to use the same password for everything – all while writing it down in a ‘safe’ place – it is important to remember passwords are only as strong as you make them.
We asked technology experts to gather their thoughts and advice on business best practice of the commonly misused tools.
Some sound advice
Passwords are often associated with inconvenience – and for good reason. Employees and consumers alike are overwhelmed by the thought of remembering login details for 100-200 websites and making them difficult for bad actors to guess. “It’s important to look at the practical solutions to this impractical problem, accelerated by more and more aspects of our lives going online,” said Jay Ryerse, VP of Cybersecurity Initiatives at ConnectWise.
Ryerse continued: “To ensure your personal and work-related accounts, as well as the sensitive data residing within them, remain secure:
- Use a password manager – but do your research. Some have been breached in the past and you want to make sure your choice is reliable, safe and up to date
- Use a different, complex password for every website. This reduces your risk of credential stuffing attacks, where hackers take login details harvested from breached websites to log into users’ accounts on other unaffected sites. A password manager makes this process much easier as it will create lengthy, unique passwords for each site
- Remember that the longer the password, the longer it takes for digital adversaries to crack it, thus deterring successful brute force attacks
- Avoid overused practices like adding an exclamation point at the end, including phrases associated with family or pets, or using incremental numbers. Hackers use these well-known patterns to guess your password and you’ll make their jobs easier
- Give only fake answers to security questions that would help you recover your password, so hackers cannot mine that information from snooping you online. One example would be your mother’s maiden name – with some social media searching, this would be easy to identify, so choose a made up name that only you would know
- Implement multifactor authentication wherever possible to create extra hurdles for cybercriminals
“There will always be varying degrees of account compromise,” said Ryerse. “If someone hacked my LinkedIn, they might post something embarrassing, but it’s easy to change the password and regain control. However, if they broke into my online bank account or used my credit card on Amazon to rack up charges, we’d be looking at significant damage. Wouldn’t it be better to prevent all of these incidents, though? Implementing these best practices across your online presence will do just that – and protect both you and your company on an ongoing basis.”
Keeping the public sector private
Although the mass migration to remote working has brought a handful of benefits, the cybersecurity landscape has never been more muddled. “The sudden increase in the number of remote workers has been accompanied by a spike in phishing scams and spam attacks as hackers ruthlessly use the COVID-19 crisis to their advantage,” said Sascha Giese, Head Geek at SolarWinds. “In the public sector – as in every sector – IT pros have to contend with keeping stressed IT systems functioning while working from home, and now this dramatic surge in cybersecurity threats as well.
“But in the face of such adversity, the simplest measures, such as password protection, can often prove the most effective. At times like this, remember passwords act as vital gatekeepers to the most sensitive data. Strengthening password habits such as regularly changing them and using two-factor authentication (2FA) makes it harder for hackers to gain access to data and information. For the public sector, 2FA is a very effective additional layer of security that requires not just a username and password, but also something completely unique to that user, whether it be a piece of information or a physical token. It’s based on the concept that only those users will gain access based on something they know (knowledge) and something they have (possession). Such a system makes it much more resistant to attack, and in our current times is reassuring for both system administrators and the public.”
Monitoring operations remotely
Ordinarily, it is important to remember how crucial it is to change and update passwords frequently, but especially in current circumstances. Steve Nice, Chief Security Technologist at Node4, said: “One of the biggest threats to IT security is ‘shadow IT’ – where the security team has limited or no visibility into the applications and tools employees are using. Many employees will be deploying remote collaboration tools independently of their organisation’s IT departments and these are not subject to the same due diligence and testing that would normally be undertaken. This means security, data sovereignty, compliance and retention are all outside of the organisation’s control.
“Once we all get back to working ‘normally’ in offices again, many of these collaboration applications will be forgotten and this poses new security problems. Many of these apps will not be updated again and will therefore be vulnerable for exploitation by hackers. On top of this, login credentials – which will likely include easy-to-guess passwords anyway – may get compromised and be utilised for other attacks, such as phishing.
“Three tips for your staff are: not to reuse passwords; have complex passwords; and enable multi-factor authentication whenever available. Beyond this, ensuring employees are still getting the basics right while working remotely is key. Password managers, for example, can limit the risk associated with dormant applications, so even if ‘shadow IT’ collaboration tools are being used and left, the credentials remain up-to-date.”
When passwords alone are not enough
For individuals seeking to protect their personal information and secure their online accounts, a strong password is a critical first line of defence. “But, if you are a commercial, nonprofit or government organisation, a password, regardless of how unique or how often it is updated, will barely scratch the IT security surface,” said Mihir Shah, CEO, Nexsan, a StorCentric company. “The only true protection for an organisation’s high value data is to aggressively lock it down using a hardened storage solution that has been engineered with the understanding that attempts at corruption or deletion can come from anyone, anywhere and at any time. The solution must be capable of recognising and rejecting every such attempt, regardless of whether it’s from a virus, ransomware, spyware, user mistakes, software error – or a new threat that hasn’t even been discovered yet.”
With developments in the situation around COVID-19 occurring daily, it is important for businesses – and their employees – to think about what steps they can take to best protect their important data and avoid any security crises that would make an already turbulent landscape worse. Utilising passwords is one way of doing this, but they are a tool that must be treated with respect and vigilance.