Passwords and people: Your secret weapons against cybercriminals
Passwords and people continue to be low-hanging fruit for both organizations and cybercriminals. According to Verizon’s 2021 Data Breach Investigations Report, 61% of breaches involved stolen credentials, and 85% involved a human element.
While many would argue that these statistics make humans and credentials the weakest cybersecurity link, practicing good password hygiene and empowering people to prevent cyber incidents could be the best defense against cybercriminals.
By implementing password hygiene standards and security awareness training into your cybersecurity strategy, employees can have the right tools to change these statistics and serve as another line of defense in your organization’s security stack.
Phishing simulations & training
It can be disastrous if your passwords get into the wrong hands, but keeping track of the credentials for all of your different online services can be a headache. If you’re looking for a convenient, affordable and secure solution to your password headaches, check out Forbes' guide to the best password managers on the market right now.
A people-first approach to password security
Even with the best security and tools, your password strategy is incomplete without the proper training to accompany it. However small the responsibility may be, everyone plays a role in keeping your organization and your clients’ data secure.
People can be a valuable asset to your organization’s security strategy when they’re adequately prepared to carry out their individual cybersecurity responsibilities. With cybersecurity awareness training becoming more accessible and digestible, IT and security admins have all the tools they need to carry out their role in the cyberdefense strategy.
Cybersecurity awareness training can get a bit more complex when factoring in the different job roles throughout the organization. A finance team will need to look out for fraudulent wire transfer requests, while the executive team will more likely be targeted by spear-phishing and BEC (business email compromise) attacks, and everyone in the organization should be able to identify a credential phishing attack.
What is good password hygiene?
Password hygiene is a set of guidelines and principles that, when implemented correctly, help keep your passwords protected from cybercriminals. More specifically, it is the practice of ensuring passwords are unique, difficult to guess and hard to crack with password-cracking tools. Good password hygiene best practices include setting complex passwords, using a unique password for each account and keeping personal passwords private.
There’s a lot to unpack when it comes to password hygiene. These guidelines sound simple in theory, but they can be difficult to implement without the assistance of a password manager. After all, how can you be expected to remember dozens of unique passwords, all with different complexity rules and expiration periods? The reality is you can’t — and neither can your employees.
Password managers such as LastPass or Dashlane take human error out of password hygiene. With the help of a password manager, your employees can generate and store complex, unique passwords — mitigating the risk of credential reuse and theft.
Good password hygiene also involves the use of multifactor authentication (MFA). There are several factors to the authentication process, with the password representing something you know. Adding a second factor would mean pairing the password with something only you have, such as a one-time passcode sent to your cell phone. That way, an attacker must have both the account holder’s password and one-time passcode in order to authenticate.
Multifactor authentication is something that’s becoming more common in commercial applications and has been the industry standard for several years now.
Why does it matter?
Passwords used to be a security solution, but now they’ve become a security risk. There are numerous instances where an organization is the victim of a cyber incident solely because an employee used the same password at work as they did for their streaming services at home.
Attackers are well aware of this, which is why we see the majority of breaches involve the theft or misuse of credentials. Some of the most famous data breaches in recent years originated from credential stuffing attacks, where the attacker simply uses previously stolen credentials from a separate, unrelated breach to gain access to systems and impersonate employees at their place of business.
ChatGPT training built for everyone
Passwords are the cornerstone of your defense against cyber incidents. If your passwords falter, your business’s security is as good as compromised. Without security controls, there’s no accountability for improving password hygiene.
Like most cybersecurity measures, the answer to “Why does it matter?” ultimately boils down to the decreased risk of a cyber incident. On a tight budget, it’s vital to address the low-hanging fruit of risk, and you’ll be hard-pressed to find a more impactful security measure than a strong password policy.
How good password hygiene protects your business
Good password hygiene protects your business in much the same way that any security control protects your business. It minimizes the risk of a cyber incident and saves your organization a great deal of time and money that come along with incident response.
In recent years, cybercriminals have pivoted away from targeting hardware and software vulnerabilities and have identified humans as the weakest link in the security stack. People take shortcuts when it comes to password management, such as changing one or two characters in their previously expired password or using the same password across multiple accounts. Human memory is just not as robust as a computer, which leads to serious security risks.
Good password hygiene addresses these risks by eliminating weak and reused passwords. With the help of a password manager, your organization’s security posture no longer relies upon the memory of your employees. When multifactor authentication is added on top of this, passwords and people can be relied upon as assets to your organization’s cybersecurity program.
How to get started
Getting started with password hygiene begins with drafting a policy. Much like how there are standards to password length and complexity, there must be standards around the storage and management of credentials. Start with selecting a password management software that meets your needs. Try not to sacrifice too much convenience for the sake of security — inconvenience is usually what leads to password reuse in the first place.
A good password manager should be easy to use and offer excellent encryption. Many solutions have browser plugins that allow for password autofill, strong password generators and cross-platform synchronization. Determine which features are most important to you, and then create your policy for your employees.
Once you’ve selected and implemented a password manager, enable multifactor authentication wherever possible. The most secure method of MFA is through the use of an authenticator app, which randomly generates a new one-time passcode every 30 seconds. Once that has been configured, drafting a good set of instructions should be your main priority. This could be their first time using multifactor authentication, so you’ll need to guide them through the process and why it’s essential.
Phishing simulations & training
Bottom line
The most important piece to this puzzle is proper education and training for your organization. You can implement all the policies you want, but if your employees can’t or don’t know how to follow them, they won’t. Once you’ve decided on a strong password policy and multifactor authentication, be sure to communicate it to the company in a way that they can understand.
While it may add some extra steps to their login process, the right password management tools can improve their experience — and your organization’s security posture.
Sources
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- Passwords and people: Your secret weapons against cybercriminals
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization