Try for free
    03.03.2017

    More on passwords: don’t make the same mistakes and find out alternatives

    Account hack is still a popular target among cyber criminals and key risk factor is a weak password. Actually, one account hack may have catastrophic consequences for the whole company.

    There are two main problems with cyber security awareness which CEOs and information security specialists should take into account. First, most web services with registration don’t require frequent password change. This process is often complex and fosters resentment among users especially if current passwords have been reset automatically.

    Some websites switched to new technologies which imply smartphone use to login. But it changes completely the way users are accustomed to.

    Second, and even more critical, users continue to reuse passwords both in personal mail accounts, social networks, game websites and in services connected with work issues.

    Never changing password as well as its reuse for different services poses a real threat for company’s security. As soon as cyber criminal gets an access to user’s account, it is not so complicated to learn which company he works for. Often it can be clear from email correspondence. Moreover, many users specify their workplace on social networks.

    If the same password is used for personal email account as well as for work email, a cyber criminal can access them both easily. Thus the company where a victim of a hack works is threatened by malicious attacks, phishing and data breach.

    Additionally, through the use of information found in user’s email account, cyber criminals can create personalized emails. Such emails can force victim’s co-workers to share confidential corporate information fraudulently. And as the use of cloud applications grows, an access to work email and the same password allow hackers to interfere in a company’s security perimeter.

    To prevent situations described above, companies should take following specific measures:

    Multi-factor authentication and complex non-repeating passwords

    All staff members must clearly know they should have multiple passwords for different messengers, social networks, emails and other services used at home and at work. Moreover, two-factor authentication should be used where it is possible.

    Use additional tools

    USB-key

    Personalized USB-keys can be used as an alternative to passwords. USB-stick could be the clue to limit access to computers: insert it into PC and workstation will be available for employee. Other times computer will be locked for unauthorized users. Some browsers maintain work with USB-keys so all login details can be stored on the key. It means you don’t need to enter manually passwords for authentication. But there are drawbacks as well: USB-key can be lost or stolen.

    NFC

    Near Field Communication or NFC can also be used as an alternative to passwords. Thanks to the latest smartphones technologies, staff members can use their devices as an access key to company network.

    Biometric data

    Technologies of access through biometric data develop rapidly. If earlier we could have been surprised by fingerprint or iris identification, today smart technologies can even scan shape of your ears, walk or recognize your face.

    Restrict an access to malicious websites using technical means

    If your explanations are of no effect, you can restrict an access to certain websites using technical means. To reduce the risk of your data being compromised, many companies restrict an access to potentially malicious websites. Email filtering can also be used to remove harmful content before it gets to staff’ mail boxes.

    Deploy DLP system

    Modern DLP systems provide full business transparency, control confidential information sent in corporate network and even identify the cases when your peers are trying to contact your employees. Moreover, DLP-systems are essential to identify malicious activity within corporate network. Also, there were some cases when spam bots on staff’ computers had been detected. It had come out after the statistical rule snapped out for sending an overloading number of email messages from employee’ computer. Neither he nor antivirus installed on his computer were aware of it. Besides, you can monitor websites your employees visit and see which information is uploaded to cloud services that pose a particular threat.

    Train your staff regularly

    No matter how well your organization protected technically, its security highly depends on information security knowledge of your staff. Thus, first and foremost, companies should train their staff and tell about risks connected with the use of the same password for different services and opening suspicious emails. In addition, it is equally important to train your staff to identify suspicious links and attachments.

     

    Important publications

    The SecureTower DLP system

    • Protection against data leaks caused by employees
    • Control of employees' work on computers
    • Identification of potentially dangerous employees (risk analysis)