The Missing Link’s Chief Information Security Officer, Aaron Bailey, explores the imperative for organisations to employ, consider and enforce more effective credential management strategies. Here, he speaks about essential strategies to help avoid the impacts of a data breach, for example, financial loss, reputation damage, disrupted operations, and legal fallout.
Last month, new Digital Shadows research revealed there are over 24 billion usernames and passwords that have been exposed on the internet. A staggering number of these are classified as easy to guess.
The research shows that passwords such as “123456”, “qwerty” and the ever-creative “password” all feature in the top 50 most used passwords – 49 of which can be deciphered in under a second by common tools used by cybercriminals. It’s no wonder that 20% of data breaches are initially caused by compromised credentials.
As instances of breached credentials grow every day, and the threat landscape continues to get more sophisticated, it’s important for businesses to consider the precautions they’re taking to protect their precious data. Fast.
According to IBM, the global average cost of a data breach is $4.24 million. This eye-watering figure is rising every year.
That said, no business is immune. Facebook is a great example. Despite being one of the largest ‘digital natives’ in the world, more than half a billion of Facebook’s users had their data breached and published just over a year ago. Concerningly, Facebook is also often leveraged as a trusted central authority to authenticate users for other services.
It’s time for businesses to take notice of the very real threat data breaches pose to both individuals and businesses. You only need to take one look at haveibeenpwned, one of the largest online directories of breached credentials, to see the scale and frequency of their occurrence and appreciate the severe risks of online cyber-attacks.
So, how can your business avoid a future data breach? What are the best practices for credential management? And what does the future of passwords look like?
A managed service provider can help. We’re equipped to help businesses implement MFA, get up to date with ASD-8, conduct a Compromise Assessment, prove what’s possible with our Red Team, or support your roll out of a Privileged Access Management policy, solution or managed service.
Read on for more useful tips...
Essential strategies for protecting your passwords
Credentials are the keys to all doors – so it is vital that each door has a unique key, and that every door has extra reinforcement. These are the main ways businesses can secure their perimeter and ensure their end user’s identities are verified at each access attempt:
Employ a Password Manager
No, I’m not suggesting you add another person to your headcount! A password manager is a fantastic tool to help end users juggle the intimidating number of passwords they require to operate on the internet. They can help easily generate random, strong passwords for each site and store them, enhancing convenience by speeding up the login process.
We use LastPass here at The Missing Link, but there are many other options available.
Implement Multi-Factor Authentication (MFA)
Both end users and IT/Security professionals love to hate MFA, but we can’t deny it provides a very important layer of security. In fact, the ASD Essential 8 specifies MFA as a primary mitigation strategy for small- and large-scale businesses to reduce the risk of being victims of cybersecurity breaches.
Learn more about MFA here.
Thankfully, MFA is already supported by most of the big software and service vendors today. Some products may require additional setup to integrate with your existing environments, but it is worth the peace of mind knowing that your environments and data are secure.
Restrict admin privileges
Another of the ASD’s Essential 8 strategies is administrative privilege management. Users who are given administrative access to your business’ network can modify security settings, as well as access or leak your sensitive data. For this reason, it’s vital that your organisational admin accounts don’t have web or email access. Standard users with web/email shouldn't have any admin privileges.
Consider biometrics
Recently, innovative authentication methods like biometric credentials have become more secure and streamlined. The use of fingerprint or facial recognition has tangible security benefits over one-time passwords and multi factor authentication, plus they’re much more convenient to use.
Towards a passwordless future
To challenge the status quo and push for the future, we need to get rid of passwords entirely. The next frontier of Identity and Access Management (IAM) is passwordless authentication. Passwordless authentication is by and large the most secure and reliable way of authenticating users, and its capabilities are advancing dramatically.
But Rome wasn’t built in a day. Building a completely passwordless environment doesn’t happen overnight, and it doesn't solve all the challenges businesses are facing when it comes to breached credentials.
Reach out today to explore the various cyber security services we offer to help mitigate your risk of a data breach.
