Why a Password isn’t Enough?

Passwords shouldn’t be the only method you use to defend your accounts. After all, hackers have plenty of ways to steal them.  According to todays security experts, passwords are not enough.

Google conducted a one year study on the leading causes of account hijacking to help businesses fully understand the risks involved.

The results

From March 2016 to March 2017, Google with the help of UC Berkeley researchers examined three main ways hackers hijack accounts:

  • Keylogging software - a malicious program that records your keystrokes
  • Phishing emails - emails that lead people into dangerous websites or trick them to typing in their username and password.
  • Stolen passwords - available to the highest bidder on the Dark Web

In just one year, Google found 788,000 successful keylogging attacks, 12.4 million victims of phishing attacks, and 1.9 billion accounts exposed via login credentials sold on the black market.

One of the main reasons so many accounts are hacked is because people tend to reuse their passwords, which means if one set of login credentials is exposed, other accounts could be compromised.

Phishing is also a big threat because it targets users -- the weakest links in your companies cybersecurity. The strongest password or security system won’t mean anything if your employees constantly fall for online scams.

Protecting your accounts

There are several things you can do decrease your chance of getting your account hijacked.

For starters, you should set strong and unique passwords for each account to minimize data breaches.

While the recommendation in the past was to set a complex password -- a mix of letters, numbers, and symbols -- recent studies suggest that longer, 20-character “passphrases” are much tougher to crack. If you find it difficult to remember several passwords, consider using a password manager, which not only stores all your passwords, but can generate strong passwords, too. We like LastPass and Roboform.

To deal with phishing attacks, you should enroll your users in automated testing where they are sent phishing emails and then trained on what to look out for in the future.

You should activate multi-factor authentication on your accounts. Multifactor Authentication allows for an additional method to validate a login. Usually this requires that the user "has" another thing to be able to login, like their cellphone and a code that is only valid for 60 seconds.

You need to really watch out for the weakest link in your company, your users. They need policies (guidance), tools (anti-malware/anti-virus), education (security education), and vigilance.

Need more advice on keeping your business safe? Call us today! We provide critical security updates and comprehensive support services to help you stay well ahead of cybercriminals.  

Download the 7 Most Critical IT Security Protections Every Business Must Have in Place Now