How to Avoid a Password Breach

As bad actors continue to target IT environments big and small, cybersecurity is no longer an additional concern but a priority. While some methods of cyber attackers are extremely advanced, many underestimate the impact of simply implementing good password practices. 

Passwords are required for almost everything these days. It's hard to keep trac of all of them and password policies are annoying, often requiring 8 or even 15 characters, capital letters, symbols and numbers, and they only seem to be getting more complex. However, the thing is, your password might be the only thing safeguarding your bank accounts, email, or health information from being seen by anyone or everyone. 

Password security is oftentimes forgotten, leaving organizations open to attacks. Hackers hijack or crack passwords to steal identities, access sensitive data and infect your systems with ransomware or viruses. In fact, cracked or stolen passwords are to blame in most hacking-related breaches. In fact, 81% of data breaches are attributed to compromised credentials that have poor password security. 

With more and more of our lives becoming digital, creating and protecting unique, quality passwords is becoming increasingly important — and increasingly avoided. Although they can feel like a nuisance, proper password practices are essential to maximizing your IT security posture. As dangerous and expensive cyber attacks continuing to fill news cycles, businesses need to ensure they are minimizing every possible vulnerability. 

Types of Password Attacks

• Brute Force – An attack method in which the hacker tries various combinations of user names and passwords repeatedly until they are able to login. This can be done either manually or by using an automated software.
• Keylogging – A type of spyware that logs your keystrokes and where you type them. The information is then analyzed by a hacker to determine passwords and other data.
• Phishing – An email technique used to trick employees into providing sensitive information such as login credentials. (Read more about phishing by clicking here.)

Tips for Keeping Your Passwords Safe

Never Share Password with Anyone

Did you know over 40% of employees openly share passwords with co-workers? This include IT support and providers.

Sharing of credentials goes against best practices for security—period.  Passwords should be treated like a social security or credit card number.  If that information is provided to someone other than you, you risk having fraudulent accounts created under your name or charges to your credit card.  Your password to any account should be guarded in the same manner.  If your password is compromised, the people that have your password can take on your identity online. 

COMMON QUESTION:

It's safe to share my credentials if I receive a call from someone claiming to be with our IT provider. Right?

 

ANSWER:
Hang up with that person and call your IT provider back with the phone number they provide for support and inform them of what happened.

COMMON QUESTION:

Our IT provider needs me logged in to troubleshoot an issue, but I have meeting and need to step away… What should I do?

ANSWER:
Coordinate to start the troubleshooting prior to the time you need to step away and enter your credentials for the person needing them to troubleshoot your issue.

Use Different Passwords for Accounts

It is best practice to use different passwords for all online accounts.  It is easy to have one or two memorable passwords to use across various online accounts. We get it. It's human nature to use simple, easy-to-remember-passwords like relatives, pets, teams, birth cities, birthday, important dates, or even your license plate numbers. Unfortunately, hackers write programs that actively check for those "less than personal" details first. 

If your password is compromised, bad actors now have access to all your online accounts.

65%
reuse the same passwords
across multiple accounts and services

Reusing passwords from your personal accounts to your business accounts is especially dangerous. Although every business is a possible target for a cyberattack, large consumer platforms and retailers, such as e-commerce sites or department stores, are at a much higher risk. When a personal account password becomes a work-related password, the vulnerabilities of those consumer sites and retailers now become vulnerabilities to your business. Moreover, the breach of a personal account puts not only your information in jeopardy, but the information of your employees, colleagues, and customers. 

So what do you use? Pick a favorite song, book, or quote an type the first letter of each word, then maybe add a few capital letters in the middle to mix it up. 

Enable Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) Security

Two-Factor Authentication (2FA) adds another layer of password protection by making users go through an additional step before being able to log in. This provides another form of evidence that you are who you say you are, typically by entering a security code or pin that is sent to you via email, mobile text message or phone call. 2FA makes it harder for attackers to login to your account because they would also have to have access to your email account or another device to provide the code. And the security codes are usually only valid for a short amount of time and can only be used once. Multi-Factor Authentication (MFA) is best, as it requires two or more methods to verify the users identity.

Reset Password If Breach Is Suspected

There is a continuous influx of passwords being added and sold on the Dark Web, an unregulated part of the internet containing stolen data and information. Additionally due to the prevalence of password reuse, a single password found on the Dark Web can often be used to access and cause harm to various accounts. 

To protect your accounts and information, monitor accounts for suspicious activity that may indicate a breach or leak. Specifically, be on the look out for: 

1. A notification from your account with an authentication code (MFA) when you have not logged in recently 
   Many accounts have incorporated multi-factor authentication (MFA), sending a confirmation code to another device after a log-in. If you receive this code without having logged in, it is a direct indicator that someone else, likely a bad actor, used your password to do so. 
   
   
2. A notification of atypical account access
   Many online accounts can be configured to send a message when your account has been accessed by a device which is not flagged as a safe, known device.  If you receive a message like this, check your account for any unwanted changes and reset your password. 
   
   
3. An inability to access to your accounts 
   If, when logging in, you know you have entered the correct credentials but continue to receive an error, it is possible that your password and account have been compromised. You will need to contact the organization to reset your credentials.

While these practices can help minimizes the chance of a password breach, they are not airtight. Using a secure MSP can help your business enjoy greater IT security without dedicating significant resources to continuous monitoring and response. Centre's managed IT service customers get a Dark Web report every month detailing email addresses and accounts that have been leaked to the Dark Web. 

Additionally, Centre's IT security experts set up alerts for when an employee email address for a client has been involved in a recent breach. After confirming the correct email and password combination in the leak, Centre's team will notify the customer with a list of employees who have been compromised so they can change their password. 

COMMON QUESTION:

What should I do if I suspect a password has been compromised or believe it's been provided to another party?

 

ANSWER:

Immediately change your password for all accounts currently using the same password.

Password awareness and protection is one of the first and least expensive steps to greater data and business protection. Although it requires a continuous commitment, a unique password which is kept private and monitored for exposure is crucial to preventing data theft.  Moreover, prioritizing cybersecurity not only prevents business disruptions and unforeseen expenditures but also fosters greater trust between you, your fellow employees, and your customers. 

What's Next? 

Aside from having strong passwords and using multiple forms of verification, organizations can still be at risk. When employees resign or are terminated, it is best to deactivate their user accounts and disable any access they may have to the network (including wireless) right away. This will help safeguard your business against disgruntled employees who may have been let go and are looking for vengeance.

If you use an external IT Service Provider to support your business, another thing to consider is what their password policies are.  Does the provider use the same administrator username and password for all of their clients? Does the administrator account password get changed when their technicians leave? Do they store any passwords pertaining to your business in a password management system or secure file?

Centre Technologies has multiple safeguards in place to protect passwords of local businesses with Managed IT Services. Multi-factor authentication, a password management system, and tight security policies ensure that your passwords are secure and help deflect cybercriminals from hacking your user accounts.

For more specific and thorough information on how your organization can improve its security posture and spread security awareness among employees, contact Centre Technologies.