Keep it complex this World Password Day

World Password Day was first initiated by Intel back in 2013, as a timely reminder for all to reassess passwords, and review the defences you have in place. A weak password can leave you vulnerable to hackers, and with recent research showing there is a hacker attack roughly every 39 seconds, it’s vital to ensure tough measurements are in place. So, this World Password Day, six experts have shared their top tips with Digitalisation World as to how best make sure your password is strong and secure.

  • Thursday, 7th May 2020 Posted 4 years ago in by Phil Alsop

The impact of remote working


As Andy Swift Head of Offensive Security, Six Degrees comments: “This year's World Password Day feels especially significant as we see organisations wrestle with the logistics and cyber security implications of managing significant remote working deployments. We can all do ourselves a favour by utilising complex passwords, storing them appropriately, and backing them up with multi-factor authentication.” The impact of COVID-19 has been felt around the world, and as a result, many employees now find themselves working from the comfort of their own home.  


“We’re all expected to use incredibly complex passwords to keep our Personally Identifiable Information safe, and rightly so,” Swift continues. “But there’s no way we’ll remember them all without some help. Use a reliable password manager and resist the urge to go back to using ‘Monday1’ for everything. And remember that no matter how complex your password is, it is still susceptible to a brute force attack unless it is backed up by multi-factor authentication. So whenever you're accessing a web application, a VPN through a laptop at home, or any point of contact between the internet and your IT infrastructure, make sure multi-factor authentication is in place to minimise the risk of illicit access and data breach." 


Additionally, as Sascha Giese, Head Geek at SolarWinds points out: “The sudden increase in the number of remote workers has been accompanied by a spike in phishing scams and spam attacks as hackers ruthlessly use the COVID-19 crisis to their advantage. In the public sector—as in every sector—IT pros have to contend with keeping stressed IT systems functioning while working from home, and now this dramatic surge in cybersecurity threats as well.”

 

Giese suggests, then, that the most effective measure can actually be as simple as password protection. “At times like this, remember passwords act as vital gatekeepers to the most sensitive data. Strengthening password habits such as regularly changing them and using two-factor authentication (2FA) makes it harder for hackers to gain access to data and information. For the public sector, 2FA is a very effective additional layer of security that requires not just a username and password, but also something completely unique to that user, whether it be a piece of information or a physical token. It’s based on the concept that only those users will gain access based on something they know (knowledge) and something they have (possession). Such a system makes it much more resistant to attack, and in our current times, is reassuring for both system administrators and the public.”


Wieger van der Muelen, Global IT-Security Manager / CISO at Leaseweb Global agrees with this, commenting: “As the COVID-19 crisis continues, so too does the spike in phishing scams and spam attacks on remote workers as hackers relentlessly use it to their advantage. Not only are workers having to adapt to working from home full-time, but the IT teams of the organisations they belong to must contend with adapting current IT systems to fit with a home environment. It is at times like these – more so than usual – that it is vitally important that simple security measures are followed. 


“Simple yet effective steps like ensuring passwords are suitably protected spring to mind. Regularly updating passwords, having different ones for different applications stored in a password manager, and two-factor authentication are all practical steps towards making it much more difficult for hackers to infiltrate information. While the chaos around COVID-19 ensues, with all of its social and financial pressures, the last thing a company wants is to fall prey to a ransomware or phishing attack. By acting smart now, we can all avoid that risk.”


Are passwords just the first line of defense?


Raif Mehmet, AVP EMEA at Bitglass explains: "The number of large-scale data breaches and the fact that users regularly re-use passwords is a real issue for businesses today.” With this in mind, unfortunately, Mehmet considers that, “against this background, static passwords simply cannot provide effective corporate protection. 


“Businesses are now turning to a range of dynamic authentication methods that can analyse baseline user activity to detect potential intrusions, suspicious behaviours, and anomalous actions. It is essential that this approach to user authentication can extend to all cloud applications too. For example, if a user logs into Office 365 from the UK and then shortly after logs into Salesforce from Germany, this should be flagged as anomalous activity. The IT teams should be notified and the user should be asked to re-authenticate.” 


Mihir Shah, CEO, Nexsan, a StorCentric company expands on this notion, saying: “For individuals seeking to protect their personal information and secure their online accounts, a strong password is a critical first line of defence. But, if you are a commercial, nonprofit or government organisation, a password, regardless of how unique or how often it is updated, will barely scratch the IT security surface. The only true protection for an organisation’s high value data is to aggressively lock it down using a hardened storage solution that has been engineered with the understanding that attempts at corruption or deletion can come from anyone, anywhere and at any time. The solution must be capable of recognising and rejecting every such attempt, regardless of whether it’s from a virus, ransomware, spyware, user mistakes, software error – or a new threat that hasn’t even been discovered yet.”


This is something that Agata Nowakowska, Area Vice President at Skillsoft agrees with. Nowakowska concludes by commenting: “Good password security practice is basic – but it remains a vital defence for organisations in the fight against cybercrime. Despite this, a recent survey by Specops Software revealed 38% of people never update their passwords, with a third using the same password for Netflix as they do for their Internet banking. While this is a risk for anyone on a personal basis, if this practice extends to someone’s workplace, they risk opening the organisation up to the potential of financial, regulatory and reputational damage as a result of a cyber attack - all that's totally avoidable.


“In the modern threat landscape, businesses need to be better prepared for potential breaches, and this takes the right combination of security tools and training. You can’t stop breaches altogether, given the onslaught of new hacking tools and malware that are being created constantly. But you can mitigate the dangers by ensuring all employees have the basic training necessarily to protect the organisation against common – and often simple – cyber threats.  The answer lies in preparation; ensuring your workforce is well trained with up-to-date IT security practice will establish a baseline defence should an attacker take aim at your organisation - and that starts with good password practice.”


The importance of a strong password as a first layer of defence is a given. So, it’s up to organisations to ensure that employees are educated in the significance of having more than just ‘123456’ in between a hacker and precious data.