October marks Cyber Security Month, which is the Europe’s annual campaign dedicated to promoting Cyber Security among citizens and organisations, and providing up-to-date online security information through awareness raising and sharing of good practices. In recognition, which is available for organisations and individuals. As hybrid working continues to define working practices, it is important that these messages are practised by all, to ensure best practices continue in home environments as well as in the office.
One of the simpler measures that organisations and individuals can implement is reflected in the second top tip in the infographic, which advises on password security. This is a timely top tip to adopt as 2021 has seen a sharp increase in credential stuffing attacks. Credential stuffing is a hacking technique used by malicious actors to obtain stolen passwords leaked onto the dark web to unlock multiple user accounts. In a recent Bitdefender report, 50% of those surveyed said they use a single password for all accounts and 32% said they use a few passwords and reuse them across multiple accounts. This behaviour increases the likelihood of being a victim of identity theft and financial fraud, which was a concern of 41% of those surveyed.
The importance of Multi-Factor Authentication (MFA) to prevent credential stuffing attacks has also been recently highlighted when Microsoft announced in September 2021 that users are no longer required to have a password on their accounts. The alternative uses MFA through the Microsoft Authenticator app and/or phone/email verification codes instead. MFA adds another layer of security through a user having to produce 2 or more forms of identity verification for access. Often this will involve a randomly generated one-time password, which attackers cannot reuse elsewhere. This means that users do not need to worry about creating and remembering complex passwords as the only form of defence.
Despite this, in a report by the The National Cybersecurity Alliance and CybSafe, 48% of respondents said that had never heard of MFA. This is of concern because relying on passwords alone increases the vulnerability of user accounts, particularly if the password has been reused. As expressed in the infographic, this is particularly apt for senior or privileged accounts. Accessing these accounts would provide an attacker with unrestricted access to file systems and the operating system. A malicious actor could therefore gain access to sensitive information and system data that was intended to be accessible only to privileged users.
It is essential that employees receive training on how to create strong passwords, how to use MFA effectively and ensure that privileged accounts that contain sensitive information and have wide-reaching access have extra protection. It is recommended by the National Cyber Security Centre (NCSC) that passwords are created by using three random and unusual words, with alphanumerical and special characters added in. To alleviate the challenge of reusing passwords, the first random word could begin with a few of the same letters as the account e.g. the first word for an Amazon account could be ‘amazing’ which could be made more complex: ‘@mAZ!n9’. It is recommended that different passwords to accounts are written down on paper and stored in a safe place and they are used as part of Multi-Factor Authentication.