Recently a huge collection of email addresses and clear text passwords was discovered on dark web trading sites – with a more than 700 million accounts in it. After all the recent stories about data breaches, yet another mega breach causes worry – and understandably so. Identity theft is an increasingly common crime, with serious consequences for its victims typically unauthorized credits opened in their name. Another cause for worry for both individuals and businesses is credential stuffing; the reuse of passwords across many services. This is one of the biggest password related vulnerabilities: when criminals have your username and password for one service, they will try it on a large number of online services you may be using, from Netflix and Spotify, to Gmail and even your VPN account with your employer. Luckily it is easy to drastically reduce this risk.
- Use a password manager, and let it generate unique passwords on every site and service. The password manager takes the hassle out of this and you can use really long passwords, preferably more than 16 characters
- Turn on two-factor authentication where this is offered
- Do not leave more personal information than you are comfortable with. The less is out there, the harder it is to exploit.
- Consider if a service is reputable and trustworthy before signing up. If it is not, find an alternative
- Have a plan for how to react when one of your accounts is hacked
Recommendations to businesses
The bullet points above are simple things we all can do to significantly improve our ability to deal with data breach and credential stuffing risks. For businesses there are a few more things you can do to protect your data and your employees.
Value cybersecurity competence and provide training: Cybehave provides an innovative security awareness program that integrates phishing testing and elearning that is automatically adapted to the threat landscape for your business sector and that takes the human factor into account as a major driving force for vulnerabilities.
Plan and implement good access control: Access control is not only about two-factor authentication, even though turning that on as a default makes great sense. Here are some other things you should think about and make careful decisions about how to handle:
- Who has access to what? Make sure you classify your data and provide access to those who need to know and not to others. Have a low-friction process for granting and revoking access on a need to know basis.
- People leaving the company? Make sure you disable their company accounts so they cannot log in after leaving the company. Access to company data by someone who may no longer feel loyalty to the organization is a huge risk.
- Do what you can to make people love their IT tools at work. This is the most important thing you can do to avoid shadow IT; data floating around on personal Gmail and Dropbox accounts, USB sticks, etc. This could also include company secrets such as API keys, contracts or even usernames and passwords if good password hygiene is not part of the culture. An what if that personal account is part of one of those big data breaches? It is all outside of your control.