Why security at work goes far beyond passwords
13 March 2019
With more companies suffering serious data breaches in the past few months, and more people than ever before having their identities compromised, cyber-security continues to be big news. Protecting and monitoring employee and business data is a top priority.
Security was a major theme highlighted in Okta’s latest global Businesses @ Work report, and data clearly showed that organisations are no longer just adopting the best technologies, they’re also securing them.
But given the ever-increasing number of cyber-attacks, businesses have to bolster every line of defence.
Take advantage of new technologies
Organisations are now investing heavily in companies that have security tools or security use-cases. This growth indicates that IT departments are seeking out solutions that give employees the tools they want with the control that security and IT teams need.
And thanks to new regulation such as GDPR, organisations focus more on training employees around security best practices and methods to counter social engineering attacks. Security standards must be woven through a company’s culture rather than included as an add on.
Understand threat levels
Verizon’s 2017 Data Breach Investigations Report found that 81 per cent of hacking-related breaches are caused by compromised credentials. But what else do we know about attacks against identities?
The threat landscape tells us that credentials remain a valuable prize for today’s threat actors. To better protect themselves, organisations should conduct their own security detection and monitoring, and leverage threat feeds from multiple sources.
Improve password policies
To understand how to mitigate credential-based attacks, it’s important to understand what techniques hackers are employing. Three common tactics include: credential phishing, password spraying and brute force attacks. For credential phishing to work, all it takes is a single user to click a link and enter credentials to set a breach in motion. In a phishing attack, the attacker pretends to be a trusted user, website or organisation with the goal of tricking another user into sharing their credentials. Password spray attacks use common passwords (such as password123), and “spray” them across many domain accounts or domains using a cloud service, essentially playing a game of “guess and see”, with the hope of one working. Brute force attacks are similar to password spraying, but use a scripted computer algorithm to attempt to guess the password of a smaller set of users’ credentials.
There are different levels of sophistication when it comes to these threats, and businesses need to take multiple steps to mitigate them.
As the hundreds of millions of passwords that have been exposed in past breaches are available online, attackers are able to attempt to login with these previously used and common passwords across many accounts. Despite the increasing sophistication in password-guessing algorithms, organisations can still minimise risks by enforcing rules that stop workers using common or breached passwords.
Implement the right multi-factor authentication
Better password hygiene is an important piece of the security puzzle, but businesses should implement a second factor of authentication to ensure best protection. Even though adoption of multi-factor authentication keeps growing, just implementing a second factor is not enough. Security questions and SMS provide more security than nothing at all, but are not the best options. Instead, businesses should introduce the more secure MFA factors, such as a Yubikey or Okta Verify. And companies should use internal, open source and if possible, commercial threat intel to properly monitor services and update authentication policies as needed to mitigate the latest threats.
Security will and should remain one of the most important business considerations in the year ahead. By adopting simple authentication processes and making wider use of the security technology available in the market, organisations will be in a far better position to maximise their chances of protecting data and stopping themselves becoming the next company being breached.
Read our whitepaper to learn how to protect your organisation with a Zero Trust strategy