Industry insights

Passwords and people: Your secret weapons against cybercriminals

February 20, 2022 by Jack Koziol for Forbes Advisor

Passwords and people continue to be low-hanging fruit for both organizations and cybercriminals. According to Verizon’s 2021 Data Breach Investigations Report, 61% of breaches involved stolen credentials, and 85% involved a human element.

While many would argue that these statistics make humans and credentials the weakest cybersecurity link, practicing good password hygiene and empowering people to prevent cyber incidents could be the best defense against cybercriminals.

By implementing password hygiene standards and security awareness training into your cybersecurity strategy, employees can have the right tools to change these statistics and serve as another line of defense in your organization’s security stack.

It can be disastrous if your passwords get into the wrong hands, but keeping track of the credentials for all of your different online services can be a headache. If you’re looking for a convenient, affordable and secure solution to your password headaches, check out Forbes’ guide to the best password managers on the market right now.

A people-first approach to password security

Even with the best security and tools, your password strategy is incomplete without the proper training to accompany it. However small the responsibility may be, everyone plays a role in keeping your organization and your clients’ data secure.

People can be a valuable asset to your organization’s security strategy when they’re adequately prepared to carry out their individual cybersecurity responsibilities. With cybersecurity awareness training becoming more accessible and digestible, IT and security admins have all the tools they need to carry out their role in the cyberdefense strategy.

Cybersecurity awareness training can get a bit more complex when factoring in the different job roles throughout the organization. A finance team will need to look out for fraudulent wire transfer requests, while the executive team will more likely be targeted by spear-phishing and BEC (business email compromise) attacks, and everyone in the organization should be able to identify a credential phishing attack.

What is good password hygiene?

Password hygiene is a set of guidelines and principles that, when implemented correctly, help keep your passwords protected from cybercriminals. More specifically, it is the practice of ensuring passwords are unique, difficult to guess and hard to crack. Good password hygiene best practices include setting complex passwords, using a unique password for each account and keeping personal passwords private.

There’s a lot to unpack when it comes to password hygiene. These guidelines sound simple in theory, but they can be difficult to implement without the assistance of a password manager. After all, how can you be expected to remember dozens of unique passwords, all with different complexity rules and expiration periods? The reality is you can’t — and neither can your employees.

Password managers such as LastPass or Dashlane take human error out of password hygiene. With the help of a password manager, your employees can generate and store complex, unique passwords — mitigating the risk of credential reuse and theft.

Good password hygiene also involves the use of multifactor authentication (MFA). There are several factors to the authentication process, with the password representing something you know. Adding a second factor would mean pairing the password with something only you have, such as a one-time passcode sent to your cell phone. That way, an attacker must have both the account holder’s password and one-time passcode in order to authenticate.

Multifactor authentication is something that’s becoming more common in commercial applications and has been the industry standard for several years now.

Why does it matter?

Passwords used to be a security solution, but now they’ve become a security risk. There are numerous instances where an organization is the victim of a cyber incident solely because an employee used the same password at work as they did for their streaming services at home.

Attackers are well aware of this, which is why we see the majority of breaches involve the theft or misuse of credentials. Some of the most famous data breaches in recent years originated from credential stuffing attacks, where the attacker simply uses previously stolen credentials from a separate, unrelated breach to gain access to systems and impersonate employees at their place of business.

Passwords are the cornerstone of your defense against cyber incidents. If your passwords falter, your business’s security is as good as compromised. Without security controls, there’s no accountability for improving password hygiene.

Like most cybersecurity measures, the answer to “Why does it matter?” ultimately boils down to the decreased risk of a cyber incident. On a tight budget, it’s vital to address the low-hanging fruit of risk, and you’ll be hard-pressed to find a more impactful security measure than a strong password policy.

How good password hygiene protects your business

Good password hygiene protects your business in much the same way that any security control protects your business. It minimizes the risk of a cyber incident and saves your organization a great deal of time and money that come along with incident response.

In recent years, cybercriminals have pivoted away from targeting hardware and software vulnerabilities and have identified humans as the weakest link in the security stack. People take shortcuts when it comes to password management, such as changing one or two characters in their previously expired password or using the same password across multiple accounts. Human memory is just not as robust as a computer, which leads to serious security risks.

Good password hygiene addresses these risks by eliminating weak and reused passwords. With the help of a password manager, your organization’s security posture no longer relies upon the memory of your employees. When multifactor authentication is added on top of this, passwords and people can be relied upon as assets to your organization’s cybersecurity program.

How to get started

Getting started with password hygiene begins with drafting a policy. Much like how there are standards to password length and complexity, there must be standards around the storage and management of credentials. Start with selecting a password management software that meets your needs. Try not to sacrifice too much convenience for the sake of security — inconvenience is usually what leads to password reuse in the first place.

A good password manager should be easy to use and offer excellent encryption. Many solutions have browser plugins that allow for password autofill, strong password generators and cross-platform synchronization. Determine which features are most important to you, and then create your policy for your employees.

Once you’ve selected and implemented a password manager, enable multifactor authentication wherever possible. The most secure method of MFA is through the use of an authenticator app, which randomly generates a new one-time passcode every 30 seconds. Once that has been configured, drafting a good set of instructions should be your main priority. This could be their first time using multifactor authentication, so you’ll need to guide them through the process and why it’s essential.

Bottom line

The most important piece to this puzzle is proper education and training for your organization. You can implement all the policies you want, but if your employees can’t or don’t know how to follow them, they won’t. Once you’ve decided on a strong password policy and multifactor authentication, be sure to communicate it to the company in a way that they can understand.

While it may add some extra steps to their login process, the right password management tools can improve their experience — and your organization’s security posture.

Sources

Posted: February 20, 2022
Jack Koziol for Forbes Advisor
View Profile

Jack Koziol is the former president and founder of Infosec, a leading security awareness and anti-phishing training provider. With years of private vulnerability and exploitation development experience, he has trained members of the U.S. intelligence community, military and federal law agencies. His extensive experience also includes delivering security awareness and training for Fortune 500 companies including Microsoft, HP and Citibank. Jack is the lead author of The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. He also wrote Intrusion Detection with Snort, a best-selling security resource with top reviews from Linux Journal, Slashdot and Information Security Magazine. Jack has appeared in USA Today, CNN, MSNBC, First Business and other media outlets for his expert opinions on information security.