Earlier this month, businesses were hit with the news that over 1 million Yahoo and Google accounts from a historic data leak were being sold for currency on the dark web. It might come as a surprise that credentials dating back as far as 2012 are still of interest to criminals, but if employees are reusing information such as passwords and security questions across accounts, this can cause a great deal of disruption for small businesses.
For SME leaders who are already stretched across a number of disciplines, more often than not the importance of email security slips down the agenda. They are already preaching to a hostile audience: recent research from the National Institute of Standards and Technology (NIST) found that the majority of computer users experienced security fatigue that leads to risky behaviour both at work and in their personal lives. In a climate of another day, another hack, business leaders can find themselves in a catch 22 situation.
If employers are finding it difficult to engage employees in the security process, they should focus on one key message: emails and passwords are often the gateway to a user’s online presence, and so ensuring they’re secure should be a top priority. Recent research into the psychology of passwords revealed more than a third (39 per cent) of people create more secure passwords for personal accounts over work accounts. Additionally, we found that 75 per cent of respondents considered themselves informed on password best practices, yet 61 per cent admitted to using the same or similar password across accounts. Ensuring employees are armed with the knowledge to do their part in keeping the company safe from cyberattacks is a vital part of any comprehensive security solution.
Cyber criminals can attempt to access company data in a number of ways, but what action can companies take to reduce the likelihood of poor password hygiene from disengaged employees, and potentially commercially damaging consequences?
Create a formal policy around account security together with ongoing training
A recent study by BitSight found that in the last 15 months, at least one out of every 20 Fortune 1000 companies had experienced a publicly disclosed breach. And despite these breaches, Fortune 1000 companies’ security performance has recently declined overall: 52 companies made an effort to improve its security, while 103 companies experienced rating drops from October 2016 to January 2017.
SMEs should draw up a policy that encompasses all things security, including everything from password requirements to management change procedures. This policy should also consider guidelines around ‘bring your own device’ (BYOD). BYOD is vastly becoming the model of choice for SMEs – while it’s convenient and effective, there is risk involved. Enforcing guidelines such as staying off public Wi-Fi when accessing emails can help keep company data safe on employee devices. If employees are expected to be at the front line of company security, it’s important they have a clear understanding of how put this into practice. Regular catch ups with all staff are important to keeping it at the forefront of people’s minds.
Get to grips with two-factor authentication (2FA)
Two-factor authentication is one of the most effective and simple methods to protect your email accounts beyond a strong password. In addition to entering a password, 2FA users must enter a second piece of information to gain access to their accounts, such as a one-time code sent via text or app on your mobile device, or even using fingerprint. Regardless of the form your two-factor authentication takes, it ensures that hackers cannot break into your email, even if they have your password. By adopting 2FA, user credentials are also protected from password guessing software, eliminating the collateral damage from successful phishing attempts, and adding an extra layer of protection for your employees and customer data. Increasingly organisations are seeing the benefit of 2FA, and implementing it centrally as part of wider security policies.
Ensure your employees are actively responsible for their work email
Even the largest and most profitable companies can struggle with security. As such, employees are a business’ first line of defence and they should take precautionary steps to bolster their email security whenever possible. Unfortunately, this is still a pain point for many businesses. Education on phishing attack awareness is also essential. Phishing remains a popular tactic for stealing sensitive information like passwords, security codes, and credit card numbers, as well as for sneaking malware onto personal devices and company systems. Many phishing attacks are simple and easy to spot, but some are much more sophisticated, so it takes a healthy dose of skepticism to identify suspicious emails, links, and notifications. Protecting against phishing takes both smarter detection by the software we use, and better individual preparation.
Change passwords every quarter
Adopting the practice of regularly changing passwords will limit the amount of time cybercriminals have access to your hacked account. However, having to change passwords across all your accounts regularly can be both time consuming and confusing. Not only do you want a strong combination of numbers and characters, but they also have to be unique across all of your accounts. The fastest and easiest way to refresh all your passwords securely is to use a password manager that includes an auto-password change feature, allowing you to change account passwords in a single click.
Joe Siegrist is VP of LastPass.