Passwords are like underpants: Change them often or make them strong
Do you know how secure your remote users’ networks are? Hackers are waiting to take advantage of the weakest link.
It’s often said, yet not often followed: Passwords are like underpants, they need to be changed often, or have strong ones.
For years the standard approach with most organisations has been to enforce minimum password complexity and force regular password changes, and this is still the case in most organisations that we work with globally. However there is no doubt that creating complex strong passwords allows users to balance extend, or even dispense with the need to change passwords.
In the age of the Internet of Things, enabling hyperconnected digital enterprises, there’s a new wave of mobility that’s been triggered by real business needs. And yet, the biggest inhibitor to the adoption of these amazing new technologies is cybersecurity.
Breaching an organisation is not often an easy feat. Cybercriminals therefore thrive on end-users being the weakest link in the cybersecurity chain. They will always try to find the easiest way into a secure network. If it’s as simple as typing in 12345, password1, qwerty, starwars or letmein (the five most common passwords of 2016), then we’re not putting up much of a fight to protect our data.
People and processes are just as important as technology
As companies leverage cloud platforms and embrace BYOD, it is important to understand where critical data resides and which applications employees are using. One of the challenges of allowing employees to use their own smartphones and tablets is that they often come installed with productivity apps that may or may not be sanctioned by the organisation. These could include useful apps such as Evernote and LastPass, but which can potentially leak important notes or critical passwords that allow cybercriminals access to sensitive information. In this case, BYOD could take on a new meaning as ‘Bring Your Own Danger’, where mobile applications used to store confidential data may not have enterprise-grade security controls over them.
Password best practices
I find that many people are resistant to using strong passwords because they are concerned that they will forget them. There are so many accounts that need to be secured, so how do we remember the passwords to all of them? My advice is to use memory aids for different accounts, or use a password manager, and use a combination of letters (upper- and lower-case), numbers and symbols. They should also be 12 to 16 characters at least. That tribute to your childhood pet will have to happen elsewhere.
Safeguarding email
Business Email Compromise (BEC) attacks targeting (or mimicking) high-level executives are becoming increasingly successful. In these kinds of attacks, cybercriminals often pose as someone of high seniority in the organisation, such as the CEO, sending an email requesting the accounts payable to be sent to a bank account belonging to the attacker. These emails can be eerily convincing, which makes it all the more important to educate users on recognising spoofed emails and sticking to processes.
It’s important to remember that keeping a clean, well-secured network, like other forms of hygiene, rests heavily on the formation of the right habits. While robust security tools are critical to safety, it’s equally important to encourage and incentives good practices among your users, especially as they attain more control over their workspaces.