You’ve installed a state-of-the-art security in your home, yet keep a key under the front mat and a Post-it in the planter with the alarm code. Yet you wonder how the crooks got in.

You’re probably thinking, “As if anyone would do something like that!”  The door code in the plant pot may be a little over the top, but the hidden key is more common than you would think.  According to Brinks Canada, 33% of burglars come in through the front door – using keys they actually found under the welcome mat, in one of the plant pots or hidden in something else within sight.

About now, you’re either shaking your head in wonderment, or trying to figure out a new hiding spot for your key. Hint: Give it to a neighbour!

Either way, this is analogous to hackers getting into the corporate network because they got a password and gained access to the back door.

Password Attacks

Password attacks, most of which come in the form of a brute force attack or through phishing emails, are the most common causes of data breaches.  According to the 2020 Verizon Data Breach Investigations Report, 81% of data breaches are a result of compromised credentials. It is estimated that +100 billion credentials were stolen in 2020.

The World Economic Forum confirms this by saying that four out of five global data breaches are caused by weak or stolen passwords.

The really scary statistic: 30% of these breaches were the result of insider attacks. In +50% of cases, internal breaches were made possible because people wrote down their passwords some are on their workstation (15%), employees shared credentials with a co-worker, or the firm used a password management system that could be easily de-coded (giving everyone a different plant, city or dog breed name each month is very simple to crack). This is akin to leaving a key end of the doormat.

Equally scary: 70% of insider attacks go unreported. You may have everything covered within your own organisation, or at least believe you do, but if your organization relies on third party services, it’s possible that you may never learn that your employees’ confidential information was stolen.

Bad actors are highly sophisticated and well versed in password engineering. If your people use the same password, or similar structure, across multiple accounts – and all studies suggest that most people do – a breach in an outside firm has the potential to put your company at risk.  If an attacker can dump a password database, then all the passwords become useless.

You may be wondering why giving employees a new word and number combination each month is no longer effective. After all, was an accepted practice for many years. Dictionary attacks rendered this approach useless. This is a type of brute force attack which relies on people’s habits of choosing “regular” words as part of a password. Hackers have collated “cracking dictionaries”. When combined with typical spear phishing procedures which allow words personally important to individual employees to be included, passwords can be quickly cracked.

Even when companies increase their password policies and requiring longer pass first with the use of diversified characters, employees can still use the same username and password across multiple accounts, potentially leaving your network vulnerable.

What can you do to help combat this? Have your employees use an access management tool, with multifactor authentication and lock accounts after too many password failures. Banks typically lock users out after three failed attempts; five is considered the maximum for this approach to be effective.

Credential Stuffing

According to law enforcement agencies, over 25% of homeowners whose burglars entered with a key found outdoors, experience a second theft within two years – again with the crook coming in the front door. Why? These homeowners thought the problem was that their hiding place had not been secure enough, not that hiding keys was the problem in the first place.

Why mention this? Because that same mentality/behaviour applies to passwords.

If your company was hacked in the past, or any of your employees’ credentials were compromised by a third-party firm (e.g. Microsoft having 250 million of its records exposed in 2020, Facebook’s 533 Million users on April 3, 2021, to name a couple of highly-publicized ones), it is possible your old company passwords are languishing somewhere on the dark web.

In credential stuffing, automated attack bots work on the premise that people reuse usernames and passwords across multiple services, and/or that some account owners never changed their passwords after a breach.

Today, the vast majority of companies know it’s critical for employee passwords to be changed following a breach. But… we are all human. And many of us are lazy when it comes to remembering passwords. Over 60% of employees revert back to their original password as soon as possible – or adopt when used on a different site, if that is not possible.

On a personal note, you may want to think your own password approach. If you are the company IT manager, then you’ll want to look adopting stricter password policies and protecting your network and cloud with tools such as multi-factor authentication. This is especially important when you have remote workers.

One of the multi-factor authentication tools often recommend to clients is Cisco’s Duo, but there are other security measures and tools that can be implemented.  To learn more, please contact us at [email protected] or (416) 429-0796 or 1.877.238.9944 (Toll Free).