Posts Tagged :

Authlogics

Strong leaders don’t have strong passwords

960 640 Guest Blog

By Steven Hope (pictured), CEO of Authlogics

Many business leaders have had a rough ride over the past two years. However, the corporate world can be an unforgiving environment, global pandemic or not.

We live and work in an increasingly litigious world and any indication of wrongdoing or malpractice (intentional or otherwise), runs the risk of costly and consuming legal action. Such action isn’t restricted to the aggrieved or the opportunist but regulators wanting to show they have the bite to match their bark.

The end of May 2022 marks four years since GDPR was enshrined in law and although the UK is no longer part of the EU, it still has the UK GDPR. With so much publicity, years before and after GDPR coming into force, it is reasonable to suspect that there are few board meetings taking place that do not raise issues of data protection, compliance, privacy, and security on their agendas.

Looking at the picture painted by official statistics published in March, by the UK government’s Department for Digital, Culture, Media & Sport in its Cyber Security Breaches Survey 2022, it would at first glance appear that issues of cyber security are being taken seriously at board level.

The report states that approximately four in five (82%) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority. What’s more a growing number of businesses (although still only 34%) have cyber security as part of their job. More good news is that 50% of businesses are updating the board on cyber security matters at least quarterly, with this rising to 80% for larger organisations.

However, the finding of a new survey conducted by NordPass has been making waves by suggesting C-level executives may not be taking matters as seriously when it comes to their own conduct. The research reveals that the top passwords being used are 123456, password, and 123456789, as well as a range of names, animals and mythical creatures. The same type of ‘simple’ passwords that many people use in their day-to-day life.

Now, I would not suggest that strong leadership requires strong passwords, as I have long argued that strong passwords are simply more complicated to remember than they are to hack; what is making it ‘strong’ exactly? We should not be too surprised, after all executives are just people prone to the same behaviours as everyone else, naturally gravitating to convenience in their live to work lifestyles.  However, it also appears to be the case that business leaders are aware of their own shortcomings when it comes to password best practice, with Pulse and Hitatchi ID revealing that 94% of leaders are aware of the need for password training.

The Information Commissioners Office (ICO) is charged with policing the UK GDPR and it has made it crystal clear from day one that it requires organisations to not only be accountable, by being not only responsible for compliance, but they must also be able to demonstrate it. It would be extremely hard for a director (it is they who will ultimately carry the can) to swear under oath that 123456 is a satisfactory password, especially to safeguard the type of information that a C-level executive would typically have access to. Furthermore, there is also the acknowledgement that a leader within an organisation is an obvious target.

The good news is that fixing the password problem from the board to the bottom, to establish and maintain demonstrable compliance, does not require a difficult knock on the door of the boss. The first step is to understand the current susceptibility of your organisation and that begins with a password breach audit. It is a free service that within minutes will determine which accounts (active and dormant) within the domain have been breached. Do this and you are on course to demonstrating a process for compliance adherence. Armed with these insights immediate remedial company-wide action can be taken to close any breaches, using Password SecurityManagement (PSM). These systems ensure every password adheres to best practice as dictated by NIST 800-638 (National Institute of Standards and Technology) a US government agency that is widely regarded as the trusted authority on password policy, and that they stay that way.

The latest DBIR (Data Breach Investigations Report) published in May by Verizon, suggests that82% of data breaches involve a human element. This echoes other findings that 80% of breaches are caused by weak, stolen, or reused passwords. So, the exposure and risk of having anyone within an organisation, let alone its leaders, creating an easily exploitable vulnerability is high. The penalty, whether in the form of the eye-watering fines the ICO has at its disposal, or the financial and reputational harm it can do to the profitability and reputation of the business can be hugely damaging.  If you think multifactor authentication (MFA) will say the day, think again. Despite the increased adoption of MFA, so too has the number of passwords being used- along with the number of password-based attacks.

Business has been tough enough, why make it any tougher than it needs to be, by exposing the company to such unnecessary risk?

The road to password hell is paved with good intentions

960 640 Guest Blog

By Sinisha Patkovic, Authlogics

False negatives from online password breach tools could be giving your organisation misplaced confidence, regarding its cyber security status. Right now, your data and documents could be exposed and being exploited despite your best intentions and being given the green light.

There is no sign of threat posed by breached passwords abating, despite advances in technology, greater awareness about cybersecurity and the potential for stiff penalise to be imposed by regulators. If anything, the problem is growing. Last month, ITProPortal reported that 83 percent of organisations that experienced a data breach in the last 12 months attributed the cause to a compromised password or stolen identity.

In recent weeks Ubisoft announced that it would be conducting a company-wide password reset, as a result of a cyber security incident. Meanwhile, it has been reported in the past few days that in January, hackers were able to access a spreadsheet of passwords relating to domain administrator accounts of the customer service company – Sitel. According to an article published by TechCrunch it was exported from an employee’s LastPass password manager. Worse still, it is suggested that it led to the subsequent compromising of the authentication company – Okta.

To highlight the sheer scale of the password breach problem, Authlogic published a blog in 2017 which stated there were 306 million passwords known to have been compromised (pwned) in data breaches. It was a shocking statistic at the time, however, today, the figure is more than four billion records and growing. Checking whether an account has been pwned is quick, simple, and free, however exercise caution because not all free online services are made equal, even if have the very best of intentions. Put simply, if you want to have confidence in your results, then you need to test your accounts against the largest possible database of up-to-date breach records, anything less and you run the real risk of a false negative.

As the saying goes, there is a difference between doing the right thing and doing things right. Checking the breach status of passwords is always the right thing to do. Just be sure it is being done in the right way. Once you know your breach status, you can take immediate corrective action, and take steps to prevent passwords from ever being a vulnerability for your organisation.

The tools are available, affordable and accessible, whether you are a sole trader, or the largest enterprise. Should your organisation succumb to a data breach as the result of a preventable password attack, the phrase Ignorantia juris non excusat will almost certainly apply.