It’s the Passwords, Stupid! How to Stop Hackers in 3 Easy Steps
This year has been a testing one for most of us, and the world of cyber security is no exception. Some of the most memorable data breaches in 2020 were against household names such as Twitter, Zoom, and Mariott, but you don’t need to be a famous brand to be at risk of cyber crime. The rush to remote working during lockdown – often with no cyber security strategy in place – created a perfect storm of opportunity for malicious hackers. It’s no surprise to learn that data breaches have almost doubled since the outbreak of Covid-19 in the spring. With this escalating threat, cyber security for businesses is more important than ever.
So, what can you do to protect your business from hackers?
According to a recent report by Positive Technologies – which performs penetration testing (authorised simulated cyberattacks), the biggest problem is not that hackers are using highly sophisticated technology. In fact, it’s that many organisations are failing to take basic precautions to deter opportunistic breaches. Their pen-testing crew found that in 71% of cases, even a newbie hacker with simple skills would be able to penetrate the internal network.
This statistic is worrying. But the good news is that you don’t need a big business budget to protect against potential hackers. These three simple steps require a minimum of effort, are inexpensive, and will help stop potential hackers in their tracks.
Cyber security for businesses – three simple fixes: passwords, patches and permissions
The problem is that some people continue to use the same password in multiple places. This issue is compounded by the fact that these passwords are simple, and relatively easy to guess. Donald Trump’s Twitter account was famously hacked in October 2020 by a Dutch security researcher who guessed his password ‘maga2020!’ after only five tries.
And it’s not only the President of the United States who uses easily guessable passwords. Most of us are guilty. A report by the Pen-Testing company Rapid7 found a large number of guessable passwords contained one of the following:
- some part of the company name = bad
- a variation of the word ‘password’ such as ‘P@55w0rd’ = bad
- the season and year such as ‘Summer2020’. The latter pattern is largely because of company policies requiring passwords to be changed every 90 days. = bad
Even when company policies require passwords to contain a mixture of uppercase and lowercase letters, a number and a special character, most users will use a dictionary word or name, make the first character uppercase, and add a number or exclamation mark at the end. This makes them relatively easy to crack.
So how can you ensure your employees pick secure passwords?
You can’t. Humans are notoriously bad at creating random passwords. The solution is to use machine-generated passwords and a password manager, which allow users to employ genuinely random passwords without having to remember them. Of course you will also need to ensure that everyone within your organisation is using them.
For proper protection, you must use Two Step Authentication or MFA (multi-factor authentication) too.
For occasions which require a little less security, or those which have MFA enabled, you can choose three random words. That’s it. Not your children’s names, or your hobbies, but something truly random. For instance, cloudsoupfishing or laddercalendarboxes. GCHQ recommends it – and it’s a simple way to make a strong password that most of us can actually remember.
Another security vulnerability found by the pen-testers was bugs in web apps for which patches existed, but hadn’t been applied. The majority of these security holes were deemed critical and should have been patched immediately.
According to Rapid7, if you are trusting that your employees will ‘do the right thing and click through those nag screens for updates (instead of hitting “later” again and again, forever), your penetration testers will almost certainly be overwhelmed with … many exploitable vulnerabilities’.
Check your network infrastructure for what Rapid7 calls the ‘dark, cobwebby corners’ and ensure patches are applied promptly. And if the idea of ‘checking your network infrastructure’ leaves you drawing a blank, there is, of course, specialist help available (see our Cyber Security Services Support page).
The third simple step to protect your organisation from malicious breaches is to control the level of access each employee has to the network, by using a directory service to assign and enforce security policies. For Windows users this is likely to be Active Directory, which allows system administrators to manage account users and devices.
A rule of thumb is to allow each employee the lowest level of access they need to do their job. This means that if a low-level employee’s account is breached, the infiltrators will not have access to the entire network (the concept of ‘Least Privilege‘).
And does it really need saying that former employees’ accounts should be deleted? Well, as a matter of fact, it does. Many of us are overwhelmed with admin at work but this is one task that is crucial to your security. Can you imagine the repercussions if a former employee or aggrieved user could access sensitive data, to pass intellectual property to a new employer or carry out a malicious attack?
Do I need a penetration test?
In most cases, probably not. Pen- testing is only worth considering once you have the basic security measures in place first. Says Intersys CEO Matthew Geyman, ‘I might be talking myself out of business here, but the truth is that, for the average computer user, most hacks can be prevented fairly simply and in very little time. On the other hand, for businesses with larger workforces and networks, it can get a little more tricky and – once you have the simple things out of the way – you will need to get in touch with an IT and cyber-security provider and consultancy.’
Intersys offers complete cyber security for businesses of all sizes, from breach response, penetration testing services and IT and cyber security audit services, to a security operations centre and managed security service. To find out which of these could work for your business, give us a call on +44 (0)20 3005 4440.