Passwords are one of the most important security measures. But according to global cybersecurity company ESET, in order for small and medium-sized enterprises to be able to manage and use them safely, they will have to make a greater effort than in the past.
Why should SMEs pay so much attention to the passwords they use?
If you are a small business owner and you think your company does not have anything to do with cybercriminals, think again.
Small and medium-sized enterprises are the apple of contention for cybercriminals precisely because enterprises like yours have valuable data and more assets than consumers, while at the same time being more vulnerable than large enterprises, which have larger security budgets.
That's why you should pay close attention to the passwords that you and your employees use in your business.
According to the report Verizon Data Breach Investigation Report 2017 (PDF), up to 81% of data breaches are caused by weak or stolen passwords. With more than 5 billion passwords leaked online, basic one-password protection is no longer effective.
How attackers steal passwords
1. Scammers use simple techniques to crack the passwords you use. One of them is monitoring. Attackers steal passwords by peeking at potential victims as they type.
2. Cybercriminals exploit the weaknesses of "human nature" (eg curiosity, ignorance, etc.) and deceive their victims with the technique of social engineering. Using bait as an electronic form or email (phishing attack) that appears to come from a trusted sender, attackers are able to persuade even well-trained users to reveal their passwords.
3. The most demanding attack techniques include intercepting the network traffic of devices used by employees working remotely or in a public place.
4. One of the most popular ways to crack the passwords you use is a brute force attack. In this case, attackers try millions of password combinations in a short period of time until the correct password is found. This is why passwords should now be large enough. The more complex the password, the longer it takes cybercriminals to guess.
5. Cybercriminals who have gained access to a company's network can use malware to search for documents containing passwords or to detect keystrokes of passwords and send this information to their C&C server.
How to create a good password policy
According to the international cybersecurity company ESET, if you are a small and medium-sized company owner, you can follow specific procedures to ensure that your company has an effective password policy:
• Your employees should be trained on how to create strong passwords (PDF).
• If you have an IT department, then this should apply rules when developing and enforcing a specific password policy (PDF).
• Apply additional safeguards to increase password security.
What else can your company do to protect your passwords?
To better protect the passwords of your company employees, you can use two-factor authentication (2FA).
In this case, in addition to the username and password used by your employee, when setting up two-factor authentication they will be asked to verify their identity with a one-time password.
In this way, you protect access to corporate systems even in cases where credentials have been leaked or stolen.
As SMS and mobile devices are often attacked by malware, modern 2FA solutions do not use SMS verification. Instead, they opt for push notifications, as they are safer and more user-friendly.
Finally, to further increase the security of the authentication process, organizations can add biometrics - something that is user-friendly, such as using fingerprints - by applying multi-factor authentication (MFA).