Are you protecting consumer data? Non-compliance can be costly for businesses, especially ones who think the regulations don’t apply to them.
It takes more than strong passwords to prevent credential theft. Security hygiene best practices are designed to proteect your data.
John Larger, manager of thinkCSC’s NOC, shares his insight on the Dark Web and why your business credentials can be a hacker’s dream if you’re not vigilant.
Usernames and passwords are the go-to security solution for so many networks, services, and social media sites, but they are the weakest link in your security efforts, particularly when taking into consideration the risk of human error. Usernames and passwords are often the only layer of security that stands between your employees and your business network. While best practices demand that we should use different passwords for every service (do you?), the reality is that most of us repeatedly reuse passwords. That is a huge problem. The password that may have just been stolen from your employee during the Capital One breach, for example, may be the same one used to connect to your network, your financial system, or their work email.
Password Reuse Is a Huge Risk
In fact, passwords being shared among different services is one of the most common issues we come across. When one service is compromised, every subsequent use of that credential is at risk. We commonly see malicious actors inject themselves into the middle of an email conversation regarding an invoice or other financial transaction and intercept data (e.g. provide the other party with different bank routing info). We’ve seen these cyber criminals create rules to forward, delete, or hide messages so that their activity is undetected. Sometimes it might be used only for gathering information for other nefarious purposes. It all starts with a password that someone used in more than one place and found its way into the hands of the criminal element on the Dark Web.
Learn more about how even the information you store with your favorite pizza place can be used against you and your organization. Read the full article on the Columbus Chamber blog.
At thinkCSC, we offer Dark Web monitoring to identify exposed credentials and alert our customers before hackers can do harm. thinkCSC’s Dark Web monitoring services are provided through a strategic partnership with ID Agent, provider of Dark Web monitoring and identity theft protection solutions. With Dark Web ID, thinkCSC can now offer 24/7 monitoring of millions of sources, including botnets, criminal chat rooms, peer-to-peer networks, malicious websites, bulletin boards, and illegal black-market sites, to alert you of stolen or compromised data. To learn more, please get in touch with us.
Recently, Citrix, a U.S.-based software firm, confirmed that the “international cyber criminals gained access to the internal Citrix network” and downloaded business documents and other files. The hackers gained access using a method called “password spraying.”
What Is Password Spraying?
Password spraying occurs when hackers use a list of common passwords to try to breach the system. They sometimes use passwords leaked from other breaches, according to Dark Reading, hoping that employee reuse their passwords at work.
How Do You Protect Your Organization from Password Spraying?
Nothing makes a stronger argument for more stringent password requirements for your employees than the results of this study conducted by the National Cyber Security Centre, UK’s independent authority on cybersecurity:
- 75% of the participants’ organizations had accounts with passwords that featured in the top 1,000 passwords
- 87% had accounts with passwords that featured in the top 10,000
Allowing your employees to set their own passwords puts your organization at risk.
Most people don’t want to remember numerous usernames and passwords for multiple accounts and programs, and many don’t feel confident in their ability to accurately recall that information. More so, they dislike having to regularly change passwords on individual accounts and being forced to forget previous passwords in exchange for new ones. To deal with this frustration, they tend to do one of two things (or both):
- Re-use the same usernames and passwords across multiple accounts
- Write down their usernames and passwords, and store them in their workspace (usually in a place that is easy to find, often on their desk or in a top drawer)
Learn a Lesson from Citrix
If you do not have strong password security and password policies, today is the day to change that practice. Passwords should be long, randomly generated, changed often, and only one layer in many of your overall security effort. You should also be monitoring the Dark Web. thinkCSC is here to help ensure your cybersecurity systems are strong and vibrant, to assist you in your preparation for and response to cyberattacks. Together, we can avoid the mistakes that are common among so many businesses and organizations, in the end becoming as secure as possible in today’s technological world.
thinkCSC provides Dark Web monitoring services provided through a strategic partnership with ID Agent, provider of Dark Web monitoring and identity theft protection solutions. With Dark Web ID, thinkCSC can now offer 24/7 monitoring of millions of sources, including botnets, criminal chat rooms, peer-to-peer networks, malicious websites, bulletin boards, and illegal black-market sites, to alert you of stolen or compromised data and passwords.
While thinkCSC believes that employees will always be the first line of defense against ransomware attacks, the only real solution is for leaders of all –organizations – businesses of all sizes, government entities, schools, hospitals, and –others – to invest in stronger IT security that includes offsite backup and recovery and managed security. These protections, combined with ongoing staff training, strict policies, and constant vigilance, are an absolute necessity in today’s cyber environment.
For new customers interested in information on obtaining our services, please contact us at firstname.lastname@example.org.
No business, regardless of size, is immune to cybercrime. Unfortunately, not every business has the resources to fuel an entire IT department with the latest technology. This very concern, however, is what feeds the misconception that a viable cybersecurity platform is unattainable and is what deters small- and medium-sized businesses from implementing the right strategies. Updated technology is essential, but what is more important is establishing a culture of cybersecurity. Every business can follow basic protocols that will protect private data.
Every account should be properly secured.
Remembering passwords is tough, which is why people create passwords that are simple to decipher and apply those same passwords to multiple accounts. However, if a password is easy for your employees to remember, it’s too easy for hackers to uncover. Use a password manager that creates unique passwords across all accounts and implement multifactor authentication to confirm identities.
Train and re-train employees.
Education is a strong defense against hackers. It doesn’t take a technical expert to create a phishing email, and such scams are often convincing enough to fool even the most talented IT professionals. Encourage your employees to be on the lookout for suspicious emails and promote a zero-trust policy. Employees should never click on a link unless they can be sure of its origins; require them to report suspicious or unusual activity.
Include personal devices in your security strategy.
You might think that establishing a policy of no personal devices for work would be effective, but let’s be realistic: Your employees are going to use their phones and tablets to get things done. It’s part of what makes your people productive and flexible; so, instead of prohibiting the practice, ensure that you have strict policies in place for how personal devices are used, as well as robust mobile device security and management protocols. If necessary, you can utilize a VPN so that all employees have access to an encrypted channel regardless of location.
Don’t test with real data.
This may seem obvious, but many developers test unsecured systems with real copies of confidential information. Cybersecurity policies should encompass all data and programs, and if you’re running a test, use inconsequential data as a substitute, for testing purposes. Hackers are on the lookout for these types of weaknesses, and without even realizing it, you could be installing into your networks a freshly tested data that is infected with malware.
Open the door to communication with your team.
Placing blame when mistakes are made benefits no one in an organization. By building a culture of trust and open communication, your employees will feel comfortable reporting unusual activity or even admitting that they have clicked a link they shouldn’t have. This allows security professionals to mitigate a data breach and prevent further loss, if any has occurred. When employees are comfortable reporting vulnerabilities, you learn of potential disasters before they happen and can use the incidents as training opportunities.
IT security is about more than hardware. Your strategy should address your organization’s entire infrastructure and the data critical to your operations and to your consumers. These simple procedures allow everyone within your organization to act as a defense against cyberattacks. No hardware can account for human error, and policies must address this vulnerability to mitigate risk and protect business outcomes.
A managed service provider can offer your business the best solutions possible and work diligently to ensure that the percentage you budget to IT is worth every cent. Partnering with the right managed services provider does make a difference. Today’s MSP does more than just provide technology and facilitate server upgrades; the right MSP is an integral layer of your cybersecurity. At thinkCSC, cybersecurity is simply factored into everything we do. We can partner with your Columbus-region organization to develop a unique solution designed to fit your business model. Take the first step towards advanced cybersecurity practices and contact us today to learn more about our enhanced Managed Security options.