Specops Software discovered that 41% of employees had not been provided with adequate cybersecurity training whilst working from home, and they were keen to discover which sectors were experiencing the most threats during this time. They found that 54% of businesses across 11 sectors have seen a rise in cybercrime threats since working from home, with phishing being the most prevalent attack.
With many companies reverting back to home working, Specops Software were eager to assist organisations in improving their in-house password security.
Password-related breaches are among the most prevalent attacks, and Verizon found that almost 80% of all breaches are connected with compromised credentials or weak passwords! Despite knowing not to use basic passwords, many still do.
Specops Software wanted to help businesses improve their password security with these five top tips: proper personnel training, password strength requirement, brute-force protection, profile deactivation during employee attrition and additional protection layers.
However, after surveying 1,832 business owners, they found that:
- 39% don’t offer proper personnel password training
- 61% don’t require password complexity to improve strength
- 44% don’t have adequate understanding of brute-force attacks
- 35% don’t deactivate unused employee profiles
- Only 26% include strong multi-factor authentication methods!
Here are Specops Software’s top five tips on how businesses can improve password security in their organisation:
- Proper personnel training
No matter what innovative protection algorithms are used in your company, if your staff keep passwords in a text doc on the desktop, or even worse on a sheet of paper, all other security measures are likely to fail. That’s why it’s critical to invest in cybersecurity training to teach your personnel the basics of information protection, including proper password management tools where they would have to remember just one passphrase and the software would do the rest – that way passwords would be protected.
- Password strength requirement
Apart from the widely used complexity requirements (minimum number of characters, upper- and lower-case letters, as well as special symbols and numbers), it’s necessary to consider more complex password policies within Active Directory (AD). These include maximum password age to force users to regularly change their passwords, ensuring proper data encryption so even in a case of a breach the data remains safe, and storing the password history to avoid the reuse of previous passwords.
- Brute-force protection
Brute-force attacks aim at guessing passwords by trying different popular combinations as well as dictionary attacks (searching correct combination by existing dictionary words). Despite the best security practices, people still opt for simpler passwords that increase chances for successful breaches. The best way to avoid it is automatic lockdown for logins after several failed attempts as well as the IP address block if the failed attempts continue. It can be done in AD as well as in different corporate resources.
- Profile deactivation during employee attrition
According to a recent study on password usage, 50% of accounts in a company are stale, which increases the risks of unauthorised use of corporate resources. Even if the departure was mutually agreed, it’s better to be safe than sorry and change all shared passwords right away after their last working day. The ideal variant would be to avoid using shared passwords as much as possible. Still, there are some cases when it’s not possible. The same goes for immediate deactivation of the user’s profile. This practice would help to protect from sensitive data exposure as well as minimise the usage of your resources in someone’s personal interest (selling data for competitors or blackmailing the company).
- Additional protection layers
Unfortunately, passwords today cannot be fully replaced by alternative authentication methods such as 2FA, where users would have to confirm their login via codes sent to their emails or phones, or using an even more secure way such as one-time passwords (OTO). Including these methods where possible significantly reduces the risk of a successful login even when a password leakage occurs.
While complex security measures include other steps such as VPN protection for internal resources, trusted firewalls, and anti-malware software, passwords management plays a significant role in system protection. Using these tips in everyday administration management will help to limit the number of successful breaches connected to weak passwords, thus increasing the integrity of the overall IT estate.