Protecting your business beyond Cyber Security Awareness Month

Cyber Security Awareness Month shines a spotlight on internet security and raises user awareness of the threats that lurk online.  While cyber security should always be top of mind for businesses, October is a friendly reminder to take inventory of any threats and vulnerabilities so you can be prepared all year round.

We are wrapping up Cyber Security Awareness Month with a special blog post featuring our co-founder Thorbjörn Sjövold. Here are his tips on tackling today’s threats!

What are some of the top security threats organizations face today?

With organizations increasingly adopting software as a service (SaaS) to gain efficiencies, they have also inherited additional risk. The reliance on online services means that user data is no longer housed solely behind firewalls. Due to the duplication of corporate identities to external systems, the top cyber security threat facing IT departments today is that they no longer control how user data is protected, or how users authenticate to these systems.

It is a well-known fact that users re-use passwords across different systems.  It is also common for applications to accept or require corporate email addresses as the username – this is the login schema for Office 365. In such scenarios, if users are also re-using their corporate password on an external system, it is a simple task for a hacker to get into the corporate network if the user’s credentials are compromised.

What are the preventative steps IT departments can take to reduce credential threats?

Unfortunately, IT security is seldom top of mind for end users who prioritize ease of use over security. Due to this, weak passwords are one of the main sources of security breaches. Users need continuous training around common attacks, and good password hygiene. This can curb risky practices, such as duplicating credentials across different systems, and the use of weak passwords.

From a technical standpoint, multifactor authentication on corporate systems with external facing attack vectors is a good start. Its combination with a password policy that blocks users from using leaked passwords, and passwords related to the organization (such as the company name), is even better.

What can organizations do to ensure that passwords are not vulnerable?

Implement a password policy that allows end users to use passphrases without too many character composition rules. This will encourage users to create longer, yet memorable, passwords. From a usability perspective, the probability of re-using such passwords in external systems is lower as those systems allow users to use shorter passwords.

Enforcing a stringent password policy, while users are using leaked passwords, will render those passwords weak. With over a billion leaked passwords online, the most important step organizations need to take regarding password security is implementing a compromised password deny list.  The password deny list should be comprehensive and continuously updated to ensure that you are truly blocking users from using compromised passwords.

Specops Password Policy prevents the creation of weak passwords through a robust feature set that includes blocking the use of leetspeak, keyboard strokes, dictionary words, and over 4 billion leaked passwords. For more information, click here.

(Last updated on October 30, 2023)


thorbjorn sjovold

Written by

Thorbjörn Sjövold

Thorbjörn Sjövold is the Head of Research and co-founded the company in 2001. He is a visionary who is grounded in developing practical solutions that make the day-to-day activities of an IT department easier for IT pros and the end users they serve. Thorbjörn never accepts status quo if it can be improved. When he is not working he loves kickboxing and perfecting his chili recipe.

Back to Blog

Related Articles

  • What breach disclosure requirements mean for your organization

    Following a data breach incident, organizations following compliance standards, such as HIPAA, need to follow certain data breach notification requirements. This post will summarize some of these requirements, as well as regional-specific disclosure responsibilities. For the purposes of this post, a data breach, is an incident “where personal data has been subject to unauthorised access,…

    Read More
  • Why you should consider cyber insurance

    As security breaches continue to grow, businesses should operate under the assumption that they will be breached. A cyber insurance policy protects businesses against the costs associated with law suits, investigations, and downtime.

    Read More