In a recent blog post, we discussed the security problems related to passwords. Here, we’d like to offer a few basic tips to protect user credentials. Yes, you’re thinking “but that’s baby cyber stuff! Every competent worker knows how to protect their passwords. It’s common sense!”
Well, consider that, in fact, even sophisticated users can fall victim to attacks which target a user’s credentials. Just last year, an Augusta, GA college campus experienced a security breach enabled by a cyber employee falling victim to a social engineering attack. Keep in mind that this college is deeply involved in the cybersecurity community, and yet hackers successfully fooled a cyber center employee. Note that, in this case, some protections for credentials had already been implemented, but user error still allowed the cybercriminals access to the user’s accounts. As we have already pointed out, compromised credentials are one of the most significant areas for cyberattack. As an illustration, Cybersecurity and Infrastructure Security Agency (CISA) found in 2022 that over 50% of cyberattacks in their systems involved user credential targeting.
As a first step in protecting user credentials, employees ought to be trained on the need for cyber hygiene in general, including best practices for credential management. The threat environment has changed so significantly that education is a must for all employees. While many employees may be frustrated with additional training and security measures, it should be made clear that security breaches affect them personally, as well. In the above-mentioned example at a local college, the threat actor changed the user’s direct deposit numbers and attempted to send his paycheck to a different account. So, clearly, this breach impacted the individual user as well as the organization as a whole.
It can be useful to share stories of how these breaches affect organizations to illustrate that this is, indeed, a collaborative security effort and not merely a few annoying hoops to jump through. As one regional example in the education arena, a community college in Charlotte, NC experienced a security breach that required systems to shut down for weeks, meaning that individual employees simply could not get their work done and even had a planned spring break cancelled. In a similar breach at yet another nearby college, staff experienced a shutdown which impacted payroll and the ability of students to pay for classes. Simply put, these threats are threats to everyone in your entire organization, and you will want to make that clear to employees.
As you make employees aware of the necessity of secure credentials, simple password best practices ought to be enforced. Passwords should not be shared, nor should users typically keep a physical list of their passwords at their workstation. Employees working remotely should avoid logging into accounts on public wifi, if possible. Organizations might consider requiring password resets every so often – say, 180 days – and those strong password principles ought to be followed. As we wrote about in a recent blog, poor user habits can negate these principles, but with proper training and tools (see below), those habits can be changed.
Business owners should also implement multi-factor authentication (MFA) for their organization’s systems. A few years ago, employees may have seen this as overkill. However, all of these threats have rendered this a necessary step in your risk assessment process. The “multi” in MFA means multiple measures, so a combination of security features. Various mechanisms for MFA include SMS (text), authenticator apps, email, or even physical token (like a fob) or biometrics (fingerprint, face or retina scan). Depending on context, MFA for your business might simply be a password plus text code confirmation, or use of an authenticator app.
Finally, consider password manager software – we strongly recommend this to businesses. These managers can securely store all your passwords in a single, encrypted location and can even help generate secure passwords for individual accounts. You can create unique, strong passwords for every individual account you have, and conveniently store these in the password manager. Additional features exist, as well, depending on the password manager you choose; for example, Password Boss offers some level of theft protection, secure sharing, and emergency access.
Notably, Password Boss points out that 3 out of 4 businesses do not have a password manager. This step, and the others above, are simple but increasingly necessary for business owners to take in order to protect their employees and their business.