Majority of cyber attacks linked to compromised user names and passwords
In addition to showing data breaches as being on the rise, the most recent Notifiable Data Breaches Report from the Australian Information Commissioner, showed the majority of cyber attacks were linked to the compromise of user names and passwords.
Ways used to obtain login credentials vary but include, users disclosing passwords verbally or in writing, phishing emails, scams on social media sites and scams involving infected websites.
The challenge we all face is trying to remember the ever-growing list of user names and passwords. The days of users writing passwords on sticky notes affixed to screens and visible to others should be over. However, as a way to avoid having to remember login credentials, we’ve seen some similar risky techniques.
To address the challenge, US based National Institute of Standards and Technology, (NIST) recommend using long passphrases rather than complex passwords. Passphrases are random phrases that have personal meaning to the user. This makes them easier for users to remember, but harder for attackers to compromise. The length of a passphrase also adds difficulty even when password cracking software is used.
For additional security, NIST suggests the addition of 2 factor authentication to help secure accounts. 2 factor authentication does take time but many of us are now making the adjustment, having to provide a code received by phone or email to complete the login process.
Our work with the market shows that many organisations have made a significant investment in technology and cloud services, yet do not have an up to date procedure, or up to date user policy to support strong passwords and security.
In addition to the obvious points like passwords should be changed regularly, the password policy for your organisation should state that storing passwords in internet browsers is also not permitted.
Have you reviewed and updated your organisation’s policies and procedures?
With the majority of attacks due to compromised log in credentials, ICT security policies and procedures are an essential control.
We suggest:
- Strong password protection procedures enforced by ICT and,
- An up to date policy for passwords and ICT security for users and,
- A tailored awareness campaign to achieve strong policy adoption.
How we can help:
To ensure you effectively manage your ICT security risk, reach out now for a confidential discussion. We can assist you in developing the relevant policies and procedures and provide a tailored awareness campaign for your team.
Please call us on 1300 264 946 or contact us online.