Photo by NeONBRAND on Unsplash
Estimated Reading Time: 5 Minutes
SMEs and Startups are now the most common targets for Cyber Criminals, and the main reason for that is because they don’t tend to invest enough in Cyber Security and Business Continuity (Backup & Disaster Recovery).
Over 80% of Hacking-related incidents used either weak or stolen passwords, according to the 2017 Data Breach Investigations Report. Indeed, hackers will most commonly try to use employee passwords to gain access to their accounts and your network, so it is critical that you implement a stronger password policy for your business.
One of the most common mistakes that SMEs make with IT infrastructure passwords is not changing the default passwords or using default administration accounts – I.e. Admin or Administrator. These are among the first things Cyber Criminals will exploit when trying to hack your infrastructure.
Furthermore, SMEs often don’t implement a password policy, so they allow staff to use weak passwords without complexity and to replicate the same password across all of their business applications.
If employees are using their own devices to work (BYOD culture), it is even more important to reinforce a strong password policy and to keep their devices monitored with anti-virus software, as people will use business applications on their own devices, dramatically increasing the risk of vulnerability.
Many things constitute a weak password: low character count, obvious dates and names related to you (birthday, favourite sports team, etc.), picking a dictionary word or name, and easy patterns (like 123456, abcdefg, aaaaaa, abc123).
But most importantly, even a strong password can quickly be compromised if you use the same password for every website and account you create. Cyber criminals are continually harvesting passwords from Data Breaches, and if you only use the same, they will eventually get it.
To hack weak passwords, Cyber criminals tend to use the “brute force” technique, which is a piece of software that continues to try many different character combinations every second. They start with the most common variations and even insert data about you to make the program smarter. To have an idea of how long a computer would take to crack your password, check the website How Secure is My Password. The results show how big of a difference a number, symbol or an extra character can make.
A strong password by itself is the main component of a strong password policy – but not the only one. As mentioned above, a strong password can also be harvested by Cyber Criminals and used against your organisation. Additional components for any business include:
Complexity: The basic requirements we see on most websites is good practice: at least 8 characters, uppercase, lowercase and special characters.
Automatic Password expiration: Regularly changing passwords every 1 or 2 months will keep your employees much safer against any data breach. By the time Cyber Criminals have found their passwords, they will have expired.
Security tools: Will add more layers of security, either by asking users to confirm their identity, by helping them create and store strong passwords or by securing their applications behind a protected wall of access. We will discuss these technologies below.
Unique Passwords: Which do not repeat across your accounts. By stimulating this, employees would be forced to have robust passwords in place and significantly reduce vulnerability.
This simple technique that enables you to use a famous phrase or quote without making it obvious. One could use a phrase like ‘One Small Step for Man, One Giant Leap for Mankind’ by Neil Armstrong in the form of 1SmSt4Man_1GiLe4MK. If logging in to a music streaming service, like Spotify, the phrase could be related to one of your favourite songs, like Billy Jean by Michael Jackson, launched in 1982 – which could be: BJmylover(not)-82MJ.
This technique involves the creation of one robust password that can be adapted to different platforms. A simple example suggested by our partner Webroot would be:
ABT2_uz_AMZ! (About to use Amazon)
ABT2_uz_BoI€€ (About to use Bank of Ireland)
ABT2_uz_FB! (About to use Facebook)
A practical and uncommon way to approach passwords, which logic is explained in the comic below. The basic guideline is to merely pick random words – the more random and the less sense they make together, the better – and write them down one after the other. Due to the high number of characters, brute force techniques would take too long to crack the password and are not viable.
As computers have evolved considerably since the creation of the method, the author now recommends the use of 6 words instead of 4, which you can further complement with numbers or symbols in between for an extra layer of security. The creator of the method recommends rolling a dice and having their random system choose the words for you, which is explained in detail here.
By having a particular shape in mind, it becomes easier to remember a seemingly random sequence of characters. Thinking about ‘!Qaz2wsx£edc4rfv’ may seem hard, but it becomes easier to remember if you look at your computer keyboard and notice the first 4 columns in sequence, from top to bottom. The use of emojis (=^D) and a combination of other characters may also help to increase the safety of a password without making it too hard to remember.
Fortunately, there are some excellent tools to help SMEs along the way. Multi-Factor Authentication can significantly increase password security, as you are adding a new layer of protection. With an MFA tool, a user must confirm that he is the one accessing the account, with a code, a physical device or something that proves their identity (fingerprint, iris, voice).
So, a hacker who has stolen your password will not be able to gain access unless he has also hacked whichever method you are using for confirmation – which should be incredibly difficult. Some MFA tools already on the market are Duo; Google Authenticator and Microsoft Authenticator.
Another handy tool is a Password Manager, which helps users create strong passwords and stores them safely. This means that you only have to remember one password to access the storage, and it will create randomised strong passwords for you, which you can copy and paste conveniently.
A Single Sign-On Portal is also a useful tool that organisations can utilise. It allows different applications to be accessed from a single page – a portal containing log-in information for each member of staff. Once the tool is configured on a clean and trusted device, the employees will be able to use work applications or accounts without the need to remember or enter passwords and log-in.
Yet out of all these techniques, education is the most essential factor for Password Security. Tools and policies will facilitate positive change and allow managers to have control, but they are irrelevant if employees don’t follow them and insist on using weak passwords or taking cyber risks.
People are the weakest link in Cyber Security; so it is crucial to schedule training sessions and incident simulations for all new and old staff to keep them up-to-date on new risks, at least once or twice per year. Once they know what they are doing wrong, they will be able to correct their mistakes and improve their security.
Knowing how to protect yourself and what the most common threats are, will take you far in terms of Cyber Security. If you are serious about protecting your business, these are the next steps we would recommend:
Or consider talking to an expert and give yourself some well-earned peace of mind. Talk to us if you have any questions or concerns.