For a business, recognising the value of a password can mean the difference between safeguarding information that is critical to both your business and your customers, and risking your bottom line.
2016 has been unprecedented in the frequency, volume and scale of data breaches across the globe. The trouble is that the same was said this time last year, and the year before that.
The economy of a hacker is based on low cost, low effort and high reward, and a growing data breach fatigue among both businesses and consumers has seen the internet become a goldmine of passwords that are re-used across multiple online accounts and can quickly unlock various aspects of a user’s life, including work.
Whether it comes down to memory or laziness, it’s easy to revert to an old password – we’ve all done it.
Consider three of this year’s high profile breaches. They have placed entire corporations and customers at risk, and all offer cautionary tales in password management:
Earlier this year, LinkedIn confirmed that 167 million account credentials were stolen in a data breach dating back to 2012.
Even more worrying is that 117 million of these emails and hashed passwords have already been cracked and sold on the black market.
For LinkedIn, the lesson was in its secure management of password databases. For other businesses, the lesson is in managing password re-use among employees.
This LinkedIn breach has already allowed attackers to hack other accounts using the same stolen emails and passwords. Take for instance Mark Zuckerberg, whose Twitter, Instagram and Pinterest accounts were hacked using his leaked LinkedIn credentials.
The catalyst for this breach of 68 million user passwords was an employee who used the same password for both their personal LinkedIn account and to access Dropbox’s internal corporate network at work.
Hackers were able to use the Dropbox employee’s data sourced from the 2012 LinkedIn data breach to not only infiltrate the network, but steal over 60 million Dropbox credentials. All it took was one re-used password to jeopardise millions of customer accounts.
The breach of 500 million Yahoo accounts has been named one of the largest cyber security breaches ever.
While a ‘state-sponsored actor’ has been blamed, this breach adds to the hundreds of millions of passwords that are now available to attackers but are continuing to be re-used by employees without a second thought.
Passwords are the first, and in some cases, the only line of defence a business has against a cyber attack. But for most of us, when we turn up for work every day we don’t leave our poor password practices at home; they follow us into the workplace.
To remember more than a handful of passwords is hard, so many of us fall into the trap of using the same combination of passwords at work as we do at home.
Alarming, yet unsurprising, is the fact that a third of us create more secure passwords for our personal accounts than we do for our work accounts. This may be news to us, but the attackers know the stats.
Now, most businesses aren’t Yahoo or Dropbox – they can’t take a hit and expect to survive. A data breach can cause irreparable damage, from loss of income to the insurmountable impact on brand reputation.
While educating employees about good cyber security practices and proper password hygiene is certainly a step forward, businesses need to get back-to-basics when it comes to security:
1. Change all passwords
Yes. Every single one. Unless you have a system in place to manage the password behaviour of each individual employee, you cannot guarantee that their passwords have not been affected by a data breach.
Change every password for every computer, vendor account, router, server, cloud app – anything your business and employees connect to at work.
2. Install a password manager
People like to take the easiest route possible. It’s what comes naturally to most, and particularly those who want to work as efficiently and free of interruption as possible.
A password manager will allow employees to use a different password across all accounts without disrupting workflow, while offering the business ultimate oversight. A win-win.
3. Two-factor authentication – turn it on
Turning on two-factor authentication adds another layer of security by requiring a secondary piece of information above and beyond a password before access is granted.
It is critical that two-factor authentication is added to any service or tool that supports it, whether an internal system or third-party application.
While it is true that having a strong password policy is only one piece of a broader cyber security strategy, it is often the most ignored.
These are basic steps, but they will help ensure that your business is no longer a prime target for attackers who will quickly redirect their energy towards easier victims. This is the economy of a hacker, after all.
Joe Siegrist is the vice president and general manager at LastPass.