Threat 1: Guessed & Stolen Credentials
Whether at work or for personal purposes, it seems like every website from online stores to news outlets requires a login these days. That’s a lot of passwords for you to manage, and it’s only human to take a shortcut or two. But even when you follow every password best practice, hackers have a way of getting around your defenses. According to a recent Verizon report, 81% of data breaches involve weak or stolen passwords. With employees who have passwords for countless applications, how can organizations possibly keep their data safe day in and day out? You need to understand the threat before you can find the solution that best fits your situation. In part one of this series we will explore the threats around guessed and stolen credentials.
People Are Predictable
Humans are creatures of habit, and hackers are very aware of it. By using brute force or dictionary attacks – or simply by peering over someone’s shoulder – hackers essentially “guess” user passwords based on their knowledge of password habits and open source intelligence. This is especially true for weak passwords (“123456,” “111111” and “password,” to name a few) that continue to be frequently used across multiple applications and platforms. To quote a prophetic 1970s Jackson 5 lyric, “abc, it’s as easy as 123.”
Lack of Diversity
Passwords are like stocks; you should never put all of your faith in just one. No matter how strong and reliable a password seems, it only takes one high-profile data breach (Target, Capital One, Equifax, etc.) to land a clever arrangement of numbers, letters and punctuation marks on some international hacker database. In a survey of 1000 individuals in the US, more than half used the same password for multiple online logins. When employees use the same password for everything, including your website or app, it’s like they’re handing cybercriminals a key to your front door.
Keeping Compromised Passwords in Circulation
Even when someone gets that dreaded notification that one of their (hopefully many) passwords has been compromised, they’ll often “wait it out” or change a single character instead of coming up with something completely different. Cybersecurity expert Troy Hunt notes that once a password or passphrase is exposed by a data breach, it is no longer secure. Attackers hoard the information exposed in these breaches and engage in credential stuffing, testing the combinations on unrelated sites. It’s only a matter of time before they discover your employee couldn’t be bothered to significantly change their credentials.
Plenty of Phish in the Sea
Cybercriminals are also adept at manipulating credentialed users into giving away passwords through phishing and spear-phishing campaigns. Take the “rescheduled meeting” scam popping up in thousands of corporate inboxes earlier this year, where employees were duped into providing hackers with their usernames and passwords. One study shows that even after implementing security awareness and phishing identification training programs in a workplace, users click on phishing emails almost 25% of the time. Encouraging your employees to keep a close eye on their inboxes could stop you from becoming some hacker’s greatest catch.
Solution: Think Outside of the Login Box
So how should organizations prevent a cybercriminal from getting to their sensitive data through employees’ passwords? While all of the steps above are helpful to preventing stolen passwords, the bottom line is you need to still assume someone will get through. You need to have technology and policy in place to protect your data even when a cybercriminal gets access to credentials. ALTR’s Data Security platform allows you to mask certain data so that the employee only has access to the fewest fields that they need in order to do their job. This means the cybercriminal only has access to minimal fields if/when they get into the application. Secondly, ALTR allows you to set thresholds for how much data an employee can access. When the cybercriminal or disgruntled employee tries to smash and grab all the data, they will only get away with a fragment of the data they were trying to get. These innovative security measures make compromised credentials a concern of the past.
To get more insight into how to protect your data with ALTR, download our free whitepaper, How to Address the Top 5 Human Threats to Your Data.