As we all have likely heard, many of the major tech organizations (Facebook, Apple, etc.) have had at least one data breach in recent years, and other organizations are hardly immune – the healthcare sector seems to have been especially hard hit. Obviously, these data breaches hurt organizations’ reputations and bottom lines due to the loss in confidence of their customers and the cost of detection, remediation, and restoring operations.
Recent legislation has also placed an emphasis on ensuring the privacy of the consumer. Regulations like the EU’s General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have implemented strict rules for how organizations should protect Personally Identifiable Information (PII) and have enforced strict policies for non-compliance. As a result, organizations need to prioritize the cybersecurity defenses that can help with prevention and detection of data breaches.
The cybersecurity threat landscape is so varied that it is difficult or impossible for an organization to identify and remediate all potential threat vectors. However, hackers often target the “low hanging fruit” and may move on to greener pastures if a particular target proves difficult to crack. Identifying and protecting against simple attack vectors can make a huge difference, and no threat vector is as simple (and potentially dangerous) as poor password security.
Table of Contents
How Bad is Password Security?
Passwords are a pretty simple concept and can be an effective way of protecting sensitive information. Ensuring that only people who know the “secret code” have access to a given resource helps to raise the bar for attackers attempting to gain illegitimate access. Passwords can definitely be lost or stolen though, especially when they are poorly protected.
Yubico (a manufacturer of physical two-factor authentication devices) recently released a report on the state of password security that was developed in conjunction with the Ponemon Institute. Unfortunately, the state of password security is fairly bad, according to the report. Over two-thirds of respondents (69%) say that they share passwords with coworkers (potentially over an insecure medium).
Over half (51%) said that they reuse passwords over multiple accounts. This can be a serious threat to organizations’ security if a poorly-secured personal account (potentially exposed in a data breach) shares a password with a corporate account with access to sensitive data. Many organizations are transitioning to webmail (G Suite, Office 365, etc.) and allow access for remote workers, meaning that attackers can test passwords and gain access without ever setting foot on the company’s campus.
A final worrisome statistic from the report is that users will not even take basic security actions after they have been a victim of an attack. 57% of the respondents to the survey will not change their password after experiencing a phishing attack. A successful credential-stealing phishing attack results in the attacker having access to the target’s login credentials. There is little or no uncertainty on the attacker’s part about their legitimacy, meaning that they can be used instantly or sold for a pretty penny on the black market.
Privileged Passwords and Data Breaches
There is a huge difference between the potential impact of an attacker gaining access to the password for your bank account and for that website where you signed up for a meaningless mailing list.
Multiple levels of security exist for business accounts as well.
You have the traditional user accounts that have the privileges to get their job done and not much more, which limits the amount of damage that they can do if compromised. And then you have the privileged accounts with significant power (think system and network administrators) that can do a lot of harm in the wrong hands.
Organizations and privileged account holders need to take additional steps to protect these privileged accounts. However, this doesn’t always happen. In fact, 74% of data breaches involve malicious access to a privileged account. This isn’t too surprising since privileged accounts are the ones with the power necessary to carry out data breaches; however, it also demonstrates that many organizations aren’t taking the necessary steps to protect their most powerful accounts.
Preventing Password-Enabled Data Breaches
Data breaches have become increasingly common and are likely to persist as data becomes more and more valuable. However, organizations can take simple steps to decrease their probability. Poor password security (especially of privileged accounts) is an important contributor to many data breaches.
The first step in preventing attackers from compromising these accounts is to implement basic cybersecurity hygiene. Organizations should implement (and enforce) a strong password policy and give employees the tools that they need to properly protect their accounts (i.e. password managers and a multi-factor authentication system). Companies should also follow the principle of least privilege: giving any given employee only the permissions that they need to do their job. The average employee shouldn’t have Administrator or root access to anything, not even their own workstations.
The second step is accepting the fact that accounts will be compromised and knowing how to deal with this eventuality. A core part of any cybersecurity strategy is deploying technology to monitor and detect anomalies in usage of all (but especially privileged) accounts. A compromised account is unlikely to continue performing “business as usual” and detecting this may mean the difference between a breach and shutting down the attack with no damage done.