According to the Verizon 2021 Data Breach Investigations Report, credentials are the #1 way that a cybercriminal hack into an organization, with 61% of breaches attributed to leveraged credentials. That means that by way of clone phishing, domain spoofing or one of any dozens of methods, a hacker’s primary way of getting at your data is through illegally mined login information and passwords.
SIDE NOTE: Unsure what “clone phishing” and “domain spoofing” are? Read up on the 10 Major Types of Phishing Scams.
Remember that these hackers are not part of super sophisticated networks or genius-level computer experts sitting in a dark room. Anyone with access to a smart phone or a computer that connects to the internet can phish. As a matter of fact, the laughable examples that you may have seen containing language like “Dear most esteemed friend, I am writing to you in need of generous help and courtesy” are proof enough that anyone can (and does) try phishing in hopes of a payday.
These seven mistakes are great start to making sure you don’t fall prey. On top of these, though, a tried-and-true pro tip is using a smart password management tool like LastPass. That way, you don’t have to give yourself a headache attempting login after login with the wrong password.
1. Using simple passwords
Mistake: Often passwords that are easy-to-remember are easy-to-hack. To keep things simple and memorable, users will oversimplify their passwords and use keystrokes that are easy to remember via muscle memory, like QWERTY, Password1234, Fido123, etc.
Solution: Never (and we mean ever) use a password like any of those above. You’ve probably noticed an increasing amount of enforced complexity as you log into new sites these days. That’s because legit companies are now trying to help their users stay safe. Add in a combination of special characters, capitals, lower case, and numbers (like TE$@#98feTJ3$&!), and remember the more characters you use, the safer you are.
2. Repeating passwords across platforms
Mistake: As another solution for remembering passwords, people tend to use one, single password universally. So, for their personal Facebook account and the company’s bank login, the password is something like MyPassword111. And even if it’s a strong password (see mistake solution above), it dilutes the overall strength because if it’s shared or hacked, everything is at risk.
Solution: This is where a password management system really shines. Not only will a decent system generate a super strong password based on whatever criteria you need, but it will also act as a repository for all of them. Then you can choose whether you want it to auto-fill or want to access the repository and fill it out yourself.
3. Unauthorized password sharing
Mistake: Here’s one scenario—a colleague is on leave, and you need access to a particular file from their computer or an account that they log into. To keep things simple and give you faster access, the colleague shares their password in an email. This means that if your email is hacked, not only is your information at risk, but your colleague’s is also.
Solution: Ensure that there is a centralized storehouse for documents where users can be granted access to locations, folders, and files. As far as logins for websites are concerned, establish a overarching global admin who can grant and deny permissions to users as needs arise (and of course, after they are satisfied).
4. Writing down passwords
Mistake: Coincidentally, this is one of the most obvious and the most made mistake. So they don’t forget passwords, people will to write them down on a post-it note or in their phone. This is disastrous if a malicious passerby sees it or if the item is stolen. The same goes for storing passwords on email if the email server is compromised.
Solution: Heading back to the password management tool, use a password-protected system that securely holds all your passwords. This way you must only remember one complex password which grants you access to everything you need.
5. Not revoking access on time
Mistake: Unfortunately, it’s not unusual to hear about ex-employees’ log-in credentials being used to hijack company data. When an employee leaves, it often causes a lot of disruption and extra work. So it’s dangerously common for manager to forget alerting their IT when this happens. The users’ access and information then fades into the background and that security gap could be allowed to exist for months—even years—without ever being noticed til it’s too late.
Solution: Put offboarding policies and processes into place which clarifies the activities that must be completed when an employee leaves. These should include but are not limited to: who is accountable, when the activity should take place, where the activity should happen, and what follow throughs or loop closures are necessary.
6. Not updating passwords
Mistake: In a world of ever-mounting websites, access points, and resources, users hope that the same password will last for as long as they need access to the system. But using the same password for years or even months can be risky.
Solution: Passwords should be changed every 3 months and even sooner for critical applications like bank account access.
7. Only requiring one credential and password entry (aka Single Factor Authorization)
Mistake: Even though many websites and applications are beginning to change, most still only require a single login name and password to gain access. Since most users are interested in getting access as fast and reliably as possible, they never take additional steps to authorize that the person entering that information is the person that they say they are.
Solution: Particularly for more critical areas, multi-factor authentication (or MFA or 2FA) must be deployed. Multi-factor authentication includes tokens, biometric authentication, OTPs, etc., which make it very difficult to hack into the application because a secondary source has to be verified first.
A few tricks make it all faster and easier to implement
As an MSP, of course we’re going to recommend that you contact one to help you create full-scale policies around the points above as well as ensure you have the technological tools to handle the management work. But on top of that obvious point, you can also:
- Include a password security policy in your employee onboarding process which outline real consequences and that the newly hired staff member must sign to acknowledge.
- Ensure that password management is included in all recurring employee training (and if you don’t have any recurring security training, start a plan right away).
- Assign a global administrator who has access to all of your business-critical accounts and systems and who can grant or deny user access at any time.
Of course, if you want to make it easier on yourself and your users, just contact us. We’ve created hundreds and hundreds of security policies for businesses in every industry with our Advanced Security offering. We will not only help you create yours, but we’ll also put the right tools in place, continuously train your employees, and evolve it as the world of security changes. Contact us to find out what it entails.