By Toni El Inati – RVP Sales, META & CEE, Barracuda Networks
The COVID-19 pandemic has brought about a sea-change in the business world. Organisations have come to embrace the work-from-home model powered by digital transformation. With this transition to working from remote locations becoming mainstream, there has been an explosion in opportunities for hackers to take advantage of new vulnerabilities that has led to a spike in the number of phishing attacks launched against organisations. According to research conducted by Barracuda Networks during the pandemic, nearly half (46%) of businesses said they had already experienced a major security scare since the remote working transition, and 51% of organisations had already seen an increase in email phishing attacks since this shift.
Moreover, with relevant, eyeball grabbing news articles capturing the public’s attention on a daily basis, the pandemic presented cybercriminals with an opportunity to craft highly enticing phishing emails. It can also be argued that remote employees are more distracted and therefore susceptible to fall victim to phishing scams. This leads to a greater possibility of cybercriminals manipulating unsuspecting users into sharing passwords.
Once successful, these compromised credentials open up the floodgates to a host of attacks ranging from account takeover, to data theft. Since people often use the same password for different accounts, hackers are able to successfully reuse stolen credentials and gain access to additional accounts. In fact, shared or hacked passwords are directly linked to more phishing attacks that can successfully trick friends, family and colleagues into financial and reputational damage. Highlighting the threat that compromised passwords pose, a survey by HYPR identified that nearly a third (29%) of respondents had experienced a credential stuffing attack wherein cybercriminals attempted to employ a large number of stolen user logins and passwords to compromise applications and systems. Adding to the challenges already plaguing IT teams, hackers also use stolen passwords for personal emails and use access to that account to try to get access to business accounts.
With it being clear that passwords remain at the centre of attacker’s crosshairs it’s worth considering the following suggestions when creating your next password.
Longer = more secure
At the very least, your password should be eight characters long. This ensures that if a malicious actor is attempting to crack your password, the larger set of permutations and combinations will likely result in a greater deal of effort and a lower success rate.
Diversity and difference are key
While hard to believe, it is unfortunately true that despite all the awareness around cybersecurity and the implications of data breaches, research conducted by NordPass found that in 2020, 123456 remained the most commonly used password in the world. So, there’s good reason to reiterate the need for diversity and difference during password creation. Use a combination of uppercase and lowercase letters, numbers, and symbols for increased password strength. Don’t use letters or numbers in a sequence – so definitely no ‘123456’ or ‘qwerty’. Also, keep in mind that some hacking tools include dictionary-based systems, so intentionally misspelling words could actually be a good security measure!
Create your own password formula
It is worth putting a creative spin on the otherwise mundane task of creating a password. Skipping the obvious choices such as your name, surname, mother’s maiden name, address, company name or your pet names, phone numbers, birthdays or social security numbers is a good idea! With just a few minutes of ‘online research’, a motivated attacker could fairly easily uncover this information.
Instead, create a personal password formula to make your passwords as unpredictable as possible. Use a combination of symbols, letters and numbers in an order which makes sense to you. Choose random words, song lyrics, favourite poems, games, or movies and combine them with numbers, spaces and symbols.
IT Must Take Action
Given that users alone cannot be tasked with the responsibility of creating strong and distinct passwords for each of the accounts they utilise, there are a couple precautionary measures IT teams should implement.
- Get granular with your monitoring, use technology to identify suspicious activity, including logins at unusual times of the day or from unusual locations and IP addresses, which are potential signs of a compromised account.
- Educate users about spear phishing attacks by making it a part of security awareness training.
- Use multifactor authentication (MFA), which provides an additional layer of security above and beyond username and password, such as an authentication code, thumb print or retinal scan.
- Using machine learning to analyse normal communication patterns within your organization allows you to spot anomalies that may indicate an attack.
- Deploy technology that uses AI to recognize when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts.
Ultimately, despite their obvious shortcomings, passwords will remain a fundamental part of enterprise security strategies for years to come. Keeping in mind that cybercriminals are motivated by economics, organisations and individuals can greatly reduce their risk profile by ensuring that they aren’t the lowest hanging fruit.