Protecting your business beyond Cyber Security Awareness Month
(Last updated on October 7, 2020)
Cyber Security Awareness Month shines a spotlight on internet security and raises user awareness of the threats that lurk online. While cyber security should always be top of mind for businesses, October is a friendly reminder to take inventory of any threats and vulnerabilities so you can be prepared all year round.
We are wrapping up Cyber Security Awareness Month with a special blog post featuring our co-founder Thorbjörn Sjövold. Here are his tips on tackling today’s threats!
What are some of the top security threats organizations face today?
With organizations increasingly adopting software as a service (SaaS) to gain efficiencies, they have also inherited additional risk. The reliance on online services means that user data is no longer housed solely behind firewalls. Due to the duplication of corporate identities to external systems, the top cyber security threat facing IT departments today is that they no longer control how user data is protected, or how users authenticate to these systems.
It is a well-known fact that users re-use passwords across different systems. It is also common for applications to accept or require corporate email addresses as the username – this is the login schema for Office 365. In such scenarios, if users are also re-using their corporate password on an external system, it is a simple task for a hacker to get into the corporate network if the user’s credentials are compromised.
What are the preventative steps IT departments can take to reduce credential threats?
Unfortunately, IT security is seldom top of mind for end users who prioritize ease of use over security. Due to this, weak passwords are one of the main sources of security breaches. Users need continuous training around common attacks, and good password hygiene. This can curb risky practices, such as duplicating credentials across different systems, and the use of weak passwords.
From a technical standpoint, multifactor authentication on corporate systems with external facing attack vectors is a good start. Its combination with a password policy that blocks users from using leaked passwords, and passwords related to the organization (such as the company name), is even better.
What can organizations do to ensure that passwords are not vulnerable?
Implement a password policy that allows end users to use passphrases without too many character composition rules. This will encourage users to create longer, yet memorable, passwords. From a usability perspective, the probability of re-using such passwords in external systems is lower as those systems allow users to use shorter passwords.
Enforcing a stringent password policy, while users are using leaked passwords, will render those passwords weak. With over a billion leaked passwords online, the most important step organizations need to take regarding password security is implementing a compromised password deny list. The password deny list should be comprehensive and continuously updated to ensure that you are truly blocking users from using compromised passwords.
Specops Password Policy prevents the creation of weak passwords through a robust feature set that includes blocking the use of leetspeak, keyboard strokes, dictionary words, and over 2 billion leaked passwords. For more information, click here.