According to a detailed report from Verizon detailing cyber-attacks from 2008 to 2022, the majority come from outside sources but are linked to internal human factors.
With ransomware reportedly up by 13 per cent in 2022, companies of all sizes need to take security seriously, starting with the most basic element of all, the password.
“A staggering 20 per cent of corporate passwords are the company name or a minor variation of it. That’s the analog security equivalent of leaving your office door unlocked at night,” writes Zoe MacDonald of international password security platform NordPass.
How weak can a password be? NordPass took a look around the world, compiling data from 30 countries in partnership with independent researchers specializing in cybersecurity incidents.
The global 2022 Gold Medal winner was “password.” Next, in order, were: 123456; 123456789; Guest; and qwerty.
In Canada, the winner was 123456, followed by password, 54321, 123456789 and guest.
It takes less than one second for an attacker to hack weak passwords like these. That’s why it’s important that companies establish conventions around password creation and maintenance in order to make them hard to hack.
And according to a separate study published by NordPass, the C-suite is no better at using strong secure passwords than lower levels of management.
In other words, a company-wide password policy needs to be established, with a set of rules and guidelines controlling how passwords are set and that allows company administration to oversee their level of security.
“It is wise for organizations to have a password policy that requires employees to change their passwords regularly,” says Michelle Ann Joseph, digital forensic analyst at Accuracy. “The benefits of changing your password often cannot be underestimated. Your computer stores and provides access to a lot of sensitive information, even more so when connected to a network that houses the information of your clients. Keeping all of this data safe and secure must be a priority.”
Password hygiene is a term that is being heard more often as cybersecurity advisers meet with company management. This includes simple and effective ways to reduce the risk of being hacked, such as: not leaving passwords in unsecure locations, like on sticky notes on the side of computer screens; reusing the same password for multiple accounts; sharing passwords in emails or messaging platforms; and continuing to use default-issued passwords.
As for password creation, there are several tips offered by NordPass and others.
Passwords should be a complex variety of upper and lowercase letters, numbers and symbols of anywhere between 12 and 20 characters. Each account should have a unique password that is regularly assessed. Accounts and passwords should be immediately cancelled as staff turns over.
It’s a balancing act. Passwords should be memorisable in order to reduce the temptation to write them down or store them somewhere that might be accessible to a hacker. Unfortunately, memorable passwords can also be insecure, while secure passwords are practically impossible to remember.
Many programs require security questions as a second line of defense to verify identity.
As NordPass explains, “The utility of security questions hinges on the assumption that you are the only person who will be able to answer the question correctly. Some security questions are better than others. A poor security question is either too difficult for the user to answer correctly or too easy for a criminal to guess.”
Birthdays, wedding anniversaries or favourite colours are not strong enough. Security questions must be unique to the users and undiscoverable, NordPass says. They suggest a favourite movie villain or a favourite work manager.
“Treat your security answers like passwords.”
In the future, program access will be “passwordless,” says NordPass, thanks to the efforts of the FIDO Alliance (Fast Identity Online Alliance), an industry association supported by technology giants like NordPass along with Amazon, Apple and Google, with the stated mission to “solve the world’s password problem.”
We may then at last enjoy authentication methods that are more user friendly than passwords without compromising cybersecurity.
John Bleasby is a Coldwater, Ont.-based freelance writer. Send comments and Inside Innovation column ideas to firstname.lastname@example.org.