While many aspects of life have slowed down during the global pandemic, cybercriminals have not been dissuaded from finding opportunities to hack into vulnerable accounts. Unfortunately, while our world is dealing with many tough uncertainties, the bad actors continue to do whatever they can to take advantage of shifting online behaviors and habits. The good news is, you don’t need to be a CISO to protect your business - and yourself. It’s more important than ever for business leaders to share best password practices with their employees to strengthen their teams' online security and privacy hygiene.
More people are working from home and using their personal devices to conduct business, opening up new ways for organizations to work both remotely and efficiently. This has created an influx of new app and software downloads to help with the sudden transition of work processes. According to a recent Dashlane survey, most people think their work devices are more secure than personal ones — yet even more of them are using a personal device for work since COVID-19. This allows for more online risk, whether through bad password habits, like repeating passwords across accounts, or more complex types of online fraud.
One type of online attack that’s seen a resurgence lately is credential stuffing, when hackers use stolen login credentials from previous breaches to automate logins at a massive scale in order to backdoor their way into your accounts. This works by choosing a target site and analyzing the site’s login sequence and processes. A hacker can then either create an automated script or use a configurable credential stuffing software to systematically test if the stolen credentials successfully login to the target site. To mask their activity, the hacker will rent botnets or a list of proxy IP addresses to make it appear as if login attempts were coming from real users on various computers. Eventually, the hacker will be successful on some sites with some credentials and then they’re able to take over those accounts and successfully steal assets.
Remember those “Zoom got hacked” headlines a couple weeks back? Credential stuffing was the culprit. As Zoom downloads increased significantly with people turning to video meetings for the majority of work and personal communications, it was reported that over 500K+ Zoom accounts were being sold on the dark web from older data breaches. Because data breaches aren’t going anywhere; companies should take responsibility and do better to protect users, but employees should also feel empowered to take online protection into their own hands.
Another security issue right now is phishing. It was recently reported that Microsoft Teams was the target of phishing emails, hitting nearly 50K inboxes. Employees should never click a link in an email that wasn’t expected. And if a phishing link is accidentally clicked, the password for that account or website should immediately be changed.
The best way to protect accounts and data from credential stuffing and online phishing attacks is to stop reusing the same passwords on multiple accounts. All accounts—but especially accounts related to work, retail, finance, and government—should be protected with strong, unique passwords.
A few best practices to ensure employees are safer online include:
- Require strong passwords -- The ideal password is at least ten characters long and contains a random—or at least uncommon—string of letters, numbers, and symbols. A long and complicated password ensures that hackers won’t have an easy time cracking into accounts. “Bring Your Own Devices” (BYOD), or when employees use the same device at home and at work, brings in a higher chance of contracting malware or viruses, and local data could easily be exposed if connected to public Wi-Fi networks. Without formal regulations and comprehensive cyber security education efforts from organizations, employees are more likely to transfer bad password practices and external cyber security threats from their home into the office.
- Use a password manager -- Consider using a password manager, especially on BYOD devices if permissible. Password managers eliminate bad password habits at work and at home by securing and encrypting all of your passwords and stored data, automatically logging you into numerous websites and mobile apps, and automatically filling out online forms with ease.
- Enable two-factor authentication (2FA) immediately -- By adding this extra step before accessing a system, it is highly unlikely that a hacker could gain access to your data with just a stolen login ID and password.
As the world plans for what’s ahead and we look forward to life getting back to normal, taking a few minutes to do a simple team assessment and training, then requiring employees to change passwords (on both work and personal devices) is key. Strive for the best practices - and at the very least, educate employees about the peril of password reuse. Using the same password on multiple accounts leaves businesses and their employees at a greater risk of compromising both personal and work accounts, should a data breach occur. It’s a bad habit worth breaking. Now is the time to protect your employees in all facets and make them feel supported, and that includes their online security.