Yahoo, MySpace, Tumblr, and LinkedIn made headlines in the last 12
months for their enormous data breaches. Hackers released the data for
1.5 billion Yahoo accounts, 167 million LinkedIn users, 360 million user
records on Myspace, and over 65 million Tumblr accounts.
Even more striking is the number of weak passwords revealed during
such data breaches. For instance, Facebook founder Mark Zuckerberg fell
victim to a cyber hack when a group called OurMine Team discovered his
credentials in the leaked data. It was later revealed that his password
“dadada,” was used to protect his Twitter and Pinterest accounts.
The recent mega breaches are not only unsettling in their magnitude,
but they also illustrate the consequences poor password practices can
have for both your employees and business.
It’s not ‘what’ makes bad passwords, but ‘who’
Passwords aren’t necessarily the root of the problem; the security
risk originates when you ask employees to create and manage their
passwords without providing them with the tools to do so.
Your employees are juggling a growing number of logins, policies, and
devices, and are left with almost no choice but to settle for poor
password habits and security shortcuts that put your company at risk.
Employees are suffering from password overload
Dashlane’s password overload study
discovered that the average number of accounts registered to one e-mail
address is 130 in the United States, 118 in the United Kingdom, 95 in
France, and 92 for the rest of the world. And that number is doubling
every 5 years.
With over 100 personal and work accounts, it is impossible to create
and remember a unique, strong password for all of them. As a result,
employees create passwords that are simple to use, easy to remember, and
often meet the bare minimum password security requirements — and they
most likely do not bother segregating the passwords they use for their
personal and work accounts, even if the company has created policies
that explicitly forbid this.
The struggle to create (and remember) strong passwords
Employees create passwords that are easy to remember, often using
easily predictable information such as names, places, sports teams,
important dates, or even the name of the site or system where the
account is registered — which explains why “linkedin” is the second most
popular password found in the hacked LinkedIn data.
Requiring complex passwords results in the reuse of passwords for
multiple accounts. If a hacker manages to steal an employee’s
credentials for instance on one of their personal accounts, chances are
that they will also attempt to use those credentials to access company
accounts, and/or try to access information belonging to your valued
customers.
Unsecure sharing is not caring
One study
found that 1 in 3 employees share their credentials with other
employees for various reasons: because their manager, boss, or colleague
asked for them, to give access to team members while they’re out of the
office, etc. And that sharing is done using unsecure channels, ranging
from a post-it note to sending an e-mail or chat message.
More often than not, employees don’t share passwords with any malicious intent, but 52 percent
of employees in a survey admitted that they did not understand the
risks they could be implicating by sharing work-related login
information using unsecure mechanisms.
Employees and IT administrators are responsible for good password security
Hackers are really targeting the weakest link in your security
infrastructure — your employees. The best way to strengthen the security
of your entire business is to make sure both your employees and IT
admins are aware of their responsibility to maintain good password
security, and that they have the tools to fulfill that responsibility.
Tips for employees:
Education is key: Educate employees on how to
identify a potential security breaches, how to generate strong passwords
they can use and remember, and how to manage them safely.
Be transparent about security: Be proactive and
transparent about your company’s security policies and infrastructure.
Consider sending a company-wide incident report to raise employee
awareness, and/or having regular training sessions or town hall meetings
where you educate employees about your current security policies.
Offer them a Password Manager: To help your
employees store, manage, and secure the password to their accounts,
provide them with a password manager. Password managers help combat
insecure password sharing, password overload, and manually generating
weak passwords. Make it clear to your employee that this is also a
benefit for them as they can use it to manage their personal
credentials.
Tips for IT administrators:
Rethink your security policies: Be cognizant of
unrealistic restrictions that not only put your systems at risk, but
also promote cynicism about security. When you create your security
policies, ask yourself: Is this policy difficult to understand/adhere to
for employees? Do employees know why this policy is in place? Can they
recognize a potential security threat or breach? How can you create the
right incentive for employees to not just comply but actively support
security in the company?
Keep your systems and networks secure: Use and
regularly patch data loss prevention (DLP), anti-malware software,
anti-DDoS services, and other security software. For companies with BYOD
policies, make sure employees’ devices are password protected,
antivirus and DLP software is installed, and their data and online
communication fully encrypted.
Enable two-factor authentication: Give your employees an extra layer of security by enabling two-factor authentication for their accounts.
Monitor user behavior: Make sure to keep track of
system usage, external hard drives, and USBs, as well as which employees
have access to sensitive work accounts–and if ex-employees still have
access. Make sure you have proper policies and tools to manage
offboarding of employees who leave the company, in particular when it
comes to passwords.
In 2016, there were 82,000 reported “cyber incidents”–which includes
ransomware, distributed denial of service attacks (DDoS) and
more–negatively impacting organizations. In other words, there are over
82,000 reasons why the security of your business’ data should be a top
priority.
Emmanuel Schalit is CEO of Dashline.
No comments:
Post a Comment