Based on findings from a “2017 Data Breach Study, the average total cost of a data breach is $3.62 million. The impact of a security breach can be debilitating for small to mid-size businesses and many never recover. In addition to the business disruption and financial loss, security breaches can result in loss of customers, a tarnished reputation, legal costs and in some cases, regulatory fines.
Though organizations of all sizes are vulnerable to security breaches, small businesses tend to be the most severely affected and unfortunately due to their lack of resources for security expertise, they also tend to be common targets.
It would be easy to assume that many security risks are a result of complex new technologies, but in truth, a high rate of cyber attacks take advantage of known vulnerabilities like faulty password procedures. Despite continued breaches and warnings, passwords have been and continue to be a security threat for businesses.
According to Verizon’s 2017 Data Breach Investigations Report, over 80% of hacking-related breaches involved leveraging weak or stolen passwords.
Privacy and cybersecurity expert Shaun Murphy, CEO of sndr says “Passwords are the only control you have to secure your data with most systems these days.”
So what can you do as a company to make it more difficult for hackers to access data via stolen credentials?
Best practices from an organizational standpoint:
1. Employee Cybersecurity Training. The average individual may not realize how relevant password security is to avoiding potential threats. That is why we encourage education as a key best practice. Your team is your first line of defense. Business owners often make the mistake of assuming everyone knows what to look for, how to create a strong password, how to avoid phishing attacks, etc. Educate your staff on the importance of password security, making sure they are not only aware of the risks but know how to avoid them. Continue to reinforce their understanding with ongoing training.
As part of your employee security training provide updated guidelines on creating strong passwords.
In 2003 former National Institute of Standards and Technology (NIST) engineer Bill Burr wrote a guide on creating secure passwords. Many of the rules regarding using upper case letters and special characters were a part of that document, as well as changing passwords regularly. In a recent interview with The Wall Street Journal, the 72-year-old Burr now says that much of what he recommended in 2003 was misguided.
Here are few updated guidelines for developing passwords:
- Passwords are not easier to guess or hack if you’ve had them longer. It’s now recommended that you only change passwords if there is a reason to believe that a password has been compromised.
- Numbers or special characters in a password do not make a password more difficult to hack.
- New suggestions from NIST allow for passwords that are easier for users to remember. Phrases made up of four or five random words can be more complicated to hack than a shorter collection of odd characters. The Wall Street Journal used this example: the password "correcthorsebatterystaple" is much more difficult for a hacker to crack than "Tr0ub4dor&3."
2. Create additional barriers wherever possible. Requiring something in addition to gain access to data adds an additional layer of security. When possible use Two-Factor Authentication or a multi-layered approach.
3. Put Strong Password Management Practices in Place. Develop internal processes for storing and monitoring all company passwords, knowing exactly who has access to which password-protected systems, which users have administrative rights and remote access and have procedures in place for when employees leave your company to ensure that they can no longer gain access to systems.
4. Consider a risk assessment from cybersecurity professionals. A professional assessment can help you identify where your company’s risk factors are and what steps you can take to mitigate those risks.
Experts say that the day will eventually come when passwords will be a thing of the past. Developments are underway to further secure authentication processes, but many of the alternatives are still very costly and still have some additional drawbacks. As much as we would like to have a reliable alternative, passwords will remain an important part of our online security for the foreseeable future.
Educating team members to understand the impact of their decisions on the security of company data can not only decrease risks, but it also serves to engage your team and make them feel invested in the priority of maintaining a secure environment. We consider ongoing security training for our employees an investment in our business and highly recommend that you make it an essential and ongoing practice for your organization as well!