Passwords are one of the most basic security measures. However, according to the global cyber security company ESET, in order for small and medium-sized businesses to be able to manage and use them safely, they will have to put in more effort than in the past.
Why should SMEs pay so much attention to the passwords they use?
If you are a small business owner and you think your company does not have anything to do with cybercriminals, think again.
Small and medium-sized enterprises are the apple of contention for cybercriminals precisely because enterprises like yours have valuable data and more assets than consumers, while at the same time being more vulnerable than large enterprises, which have larger security budgets.
That's why you should pay close attention to the passwords that you and your employees use in your business.
According to report Verizon Data Breach Investigation Report 2017 (PDF), up to 81% of breaches data caused by weak or stolen passwords. With more than 5 billion passwords leaked online, basic one-password protection is no longer effective.
How attackers steal passwords
1. Scammers use simple techniques to crack the passwords you use. One of them is monitoring. Attackers steal passwords by peeking at potential victims as they type.
2. Cyber fraudsters take advantage of the weaknesses of "human nature" (eg curiosity, ignorance, etc.) and deceive their victims with the technique of social engineerings. By decoying an online form or email (phishing attack) that appears to come from a trusted sender, attackers manage to convince even well-trained users to reveal their passwords.
3. The most demanding attack techniques include intercepting the network traffic of devices used by employees working remotely or in a public place.
4. One of the most popular ways to crack the passwords you use is a brute force attack. In this case, attackers try millions of password combinations in a short period of time until the correct password is found. This is why passwords should now be large enough. The more complex the password, the longer it takes cybercriminals to guess.
5. Cybercriminals who have gained access to a company's network can use malware to search for documents containing passwords or to detect keystrokes of passwords and send this information to their C&C server.
How to create a good password policy
According to the international cybersecurity company ESET, if you are a small and medium-sized company owner, you can follow specific procedures to ensure that your company has an effective password policy:
• Your employees should be trained on how to create strong passwords (PDF).
• If you have an IT department, then this should apply rules when developing and enforcing a specific password policy (PDF).
• Apply additional safeguards to increase password security.
What else can your company do to protect your passwords?
To better protect the passwords of your company's employees, you can use authentication two (2FA) factors.
In this case, in addition to the username and password used by your employee, when setting up two-factor authentication they will be asked to verify their identity with a one-time password.
In this way, you protect access to corporate systems even in cases where credentials have been leaked or stolen.
As SMS and mobile devices are often attacked by malware, modern 2FA solutions do not use SMS verification. Instead, they opt for push notifications, as they are safer and more user-friendly.
Finally, to further increase its security procedureauthentication, organizations can add biometrics – something the user is like using fingerprints – by implementing multi-factor authentication (MFA).
