Why Change Your Password Day comes just in time for your organization
Every year, February 1 is all about changing passwords. We don’t need to tell you why this is necessary in ‘normal’ circumstances. But today, it is more important than ever. Let us tell you why that is, and how you should proceed.
In late January, ominous reports surfaced about the so-called ‘Mother Of All Breaches’ (MOAB). This monster leak involves 1.2 terabytes of leaked data, accounting for over 500 billion login credentials[1] that can be found on the Darknet. Although it consists mainly of data that has been around for some time, there is still plenty of reason to worry.
The data bring compound over 3,800 prior data breaches. Luckily, that also means a lucky break for companies that are already Secutec customers: they have already been informed of the immediate risks to their organization for 94% of the data, throughout every breach. The bad news is that, even so, the leak could still have an impact, and not just because the estimated remaining 6% contains new data.
After all, motivated hackers can scour the available information to spot trends and tendencies. They try to link your old passwords to services where you have not yet changed your credentials. For example, those who also use their Gmail password elsewhere, but only changed it in that one place in the event of a data breach, are still at risk of seeing their Google account hacked. Through that Google account, passwords can then be reset on all websites via ‘Forgotten Password’ links, allowing hackers to access your Facebook, Instagram,… This technique is called Credential Stuffing.
The importance of robust password policies
It is fair to say that you better give ‘Change Your Password Day’ your undivided attention this year. Both towards users and towards your company’s password policy. At a time when private data has never before been so freely available, data protection is crucial. This starts with enforcing a strong and up-to-date password policy. What should that look like?
Continuous training and education
It is crucial that everyone in the company knows what measures are being taken to achieve strong digital data security. Next, it is essential that every employee understands in depth why these are implemented what the expected outcome is. This is a highly underestimated factor – your employees will handling their data be much more diligently if they understand the rationale and potential consequences. That’s why we offer these tips:
- Continually educate and inform your employees about the dangers of bad password behaviors and the characteristics of a cyberattack. Urge them to report suspicious activity immediately. You can practice this by using always-on phishing training, for example.
- Teach your employees the characteristics of a strong password and make it clear that they should always use 2FA or MFA (Multi-Factor Authentication). These security methods require two or more forms of identification for data access, providing an additional layer of security. This can be done in several ways, one of the more secure of which is through a generator of authentication codes that is constantly updated.
You can use the infographic below to help your employees develop unique, strong passwords.
Control and conquer
Once the user side is set straight, it’s equally important that the management side is ready as well – and that it remains up-to-date at all times. Consider:
- When managing a lot of different accounts within a company, it can be handy to use automated tools or a password manager. Ideally, these are tightly controlled by the IT department. They should limit the capabilities per account to the bare essentials so that, in the event of a breach, any leaked data is limited to the apps, services, products… that one account has access to. After all, not everyone needs the same unlimited rights!
- Prevent old employees from still having access to your company by regularly updating passwords (every two to three months) and cleaning up or deactivating old profiles as soon as possible. After all, you don’t want someone who no longer has anything to do with the company to still have access to your company data.
What role does Secutec play in your password policy?
With Secutec SecureSIGHT you always have insight into leaked usernames and passwords that are associated with your company. Moreover, thanks to our permanent Darknet Monitoring you are immediately informed in case of upcoming attacks, and you are always aware of all of your data to be found on the Darknet. With that knowledge, you can get to work!
Need more security advice? Schedule an appointment with our security experts to review your options together.
[1] Source: Spycloud https://spycloud.com/blog/moab-data-leak-what-we-know/