- Penetration Testing Important, but…
- Social Engineering and Poor Patching Responsible for Over 90% of Cybersecurity Problems
- Breach Incidence and Costs On the Rise Again + 5 Ways to Reduce Your Risk
- Cybersecurity Insurance Policies Require Security Audits and Pen Testing
- Wireless strategies for business continuity gain importance as enterprise expand IoT, cloud, and other technologies
- How Cybercrooks are Targeting YOU
- Enabling Digital Transformation with Cisco SD-WAN
- WFH Post Pandemic – What It Will Look Like. What You’ll Need.
- Leaders to looking to the IoT to improve efficiency and resiliency
- Cyber Security Vernacular – Well, some of it, for now
- Why You Need Disaster Recovery, NOT Just Back-Ups
- 10 Reasons Why Having an Expert Manage Your Cybersecurity Makes Sense and Saves Dollars
- Converting CapEx IT Investments into Manageable OpEx
- The Hybrid Workplace – Planning the Next Phase
- Cisco Cloud Calling: Empowering Customers to Thrive with Hybrid Work
- When You Can’t Access the Cloud
- How to Keep On Keeping On
- New Cisco Research Reveals Collaboration, Cloud and Security are IT’s Top Challenges
- Threats from Within on the Rise
- Cloud Covered? If Not, Take Cover!
- Zero Trust and Forrester Wave Report
- Password Based Cyber Attack: Like Leaving Keys Under Doormats
- So, What’s Up With Sensors?
- Sensors and Systems Create a Digital “Last Mile” and Help Skyrocketing Costs
- Scanners Provide Peace of Mind for Returning Students and Workers
- Sensors Improve Operations and Bottom Line… Easily and Cost-Affordably.
- Cisco Meraki Looks at 2021
- 2020 Holiday Shopping: Cybersecurity and Other Tips to Safeguard Wallets and Systems
- How to make the most of the technology you have
- Personnel, Planet and Business Progress: More Interdependent Than Ever Before
- Sure… you can get them all in the boat – but can you get them to work well together?
- Pushing the Zero Trust Envelope – Cisco is Named a Leader in the 2020 Forrester Zero Trust Wave
- Cloud Data Must be Protected, Too!
- Don’t Let Anyone Get the Dirt on You – Make It Instead!
- How IoT Devices Can Help You and Your business
- WebEx – A World of Possibility
- Creating Your Breach Response Plan Now Will Save You Thousands Down The Road
- Been hacked? Here’s what you must do next.
- The Need for Pen Testing is At an All-Time High
- 5 Ways an IT Reseller Improves Your Performance and Peace-of-Mind
- 5G and Wi-Fi 6: Faster, more flexible, and future ready. Are you?
- Network and Data Security for Returning and Remote Workers + Disaster Recovery Symposium
- Collaboration and Cisco WebEx: Protecting Your Data
- Thursday’s Virtual Conference Tackles Today’s Supply Chain Trials and Tribulations
- 10 Tips to Reduce Cloud Storage Risk
- COVID-19 Crisis Fuelling IT Spending
- Supply Chain/Logistics Experts Share Their Expertise
- Cisco Breach Defence Overview
- Announcing Our New Website and Blog
You’ve installed a state-of-the-art security in your home, yet keep a key under the front mat and a Post-it in the planter with the alarm code. Yet you wonder how the crooks got in.
You’re probably thinking, “As if anyone would do something like that!” The door code in the plant pot may be a little over the top, but the hidden key is more common than you would think. According to Brinks Canada, 33% of burglars come in through the front door – using keys they actually found under the welcome mat, in one of the plant pots or hidden in something else within sight.
About now, you’re either shaking your head in wonderment, or trying to figure out a new hiding spot for your key. Hint: Give it to a neighbour!
Either way, this is analogous to hackers getting into the corporate network because they got a password and gained access to the back door.
Password attacks, most of which come in the form of a brute force attack or through phishing emails, are the most common causes of data breaches. According to the 2020 Verizon Data Breach Investigations Report, 81% of data breaches are a result of compromised credentials. It is estimated that +100 billion credentials were stolen in 2020.
The World Economic Forum confirms this by saying that four out of five global data breaches are caused by weak or stolen passwords.
The really scary statistic: 30% of these breaches were the result of insider attacks. In +50% of cases, internal breaches were made possible because people wrote down their passwords some are on their workstation (15%), employees shared credentials with a co-worker, or the firm used a password management system that could be easily de-coded (giving everyone a different plant, city or dog breed name each month is very simple to crack). This is akin to leaving a key end of the doormat.
Equally scary: 70% of insider attacks go unreported. You may have everything covered within your own organisation, or at least believe you do, but if your organization relies on third party services, it’s possible that you may never learn that your employees’ confidential information was stolen.
Bad actors are highly sophisticated and well versed in password engineering. If your people use the same password, or similar structure, across multiple accounts – and all studies suggest that most people do – a breach in an outside firm has the potential to put your company at risk. If an attacker can dump a password database, then all the passwords become useless.
You may be wondering why giving employees a new word and number combination each month is no longer effective. After all, was an accepted practice for many years. Dictionary attacks rendered this approach useless. This is a type of brute force attack which relies on people’s habits of choosing “regular” words as part of a password. Hackers have collated “cracking dictionaries”. When combined with typical spear phishing procedures which allow words personally important to individual employees to be included, passwords can be quickly cracked.
Even when companies increase their password policies and requiring longer pass first with the use of diversified characters, employees can still use the same username and password across multiple accounts, potentially leaving your network vulnerable.
What can you do to help combat this? Have your employees use an access management tool, with multifactor authentication and lock accounts after too many password failures. Banks typically lock users out after three failed attempts; five is considered the maximum for this approach to be effective.
According to law enforcement agencies, over 25% of homeowners whose burglars entered with a key found outdoors, experience a second theft within two years – again with the crook coming in the front door. Why? These homeowners thought the problem was that their hiding place had not been secure enough, not that hiding keys was the problem in the first place.
Why mention this? Because that same mentality/behaviour applies to passwords.
If your company was hacked in the past, or any of your employees’ credentials were compromised by a third-party firm (e.g. Microsoft having 250 million of its records exposed in 2020, Facebook’s 533 Million users on April 3, 2021, to name a couple of highly-publicized ones), it is possible your old company passwords are languishing somewhere on the dark web.
In credential stuffing, automated attack bots work on the premise that people reuse usernames and passwords across multiple services, and/or that some account owners never changed their passwords after a breach.
Today, the vast majority of companies know it’s critical for employee passwords to be changed following a breach. But… we are all human. And many of us are lazy when it comes to remembering passwords. Over 60% of employees revert back to their original password as soon as possible – or adopt when used on a different site, if that is not possible.
On a personal note, you may want to think your own password approach. If you are the company IT manager, then you’ll want to look adopting stricter password policies and protecting your network and cloud with tools such as multi-factor authentication. This is especially important when you have remote workers.
One of the multi-factor authentication tools often recommend to clients is Cisco’s Duo, but there are other security measures and tools that can be implemented. To learn more, please contact us at [email protected] or (416) 429-0796 or 1.877.238.9944 (Toll Free).