Part 2, password hack. In this series of 4 parts, we take a closer look at the various topics related to protecting your IT environment, your valuable business data and help your users how to recognize and protect against cyber threats.
In the first part of last month you can read the background information about the different cyber threats. In this second part, we'll look at the risks of insecure passwords and what tools help you to use passwords and cloud services securely.
Unlike the phishing method, the hackers in this case have retrieved the login details of an employee. This is possible, for example, because these login details have been used for another service.
Example; the employee has chosen the same password for access to the company network as for Cloud service X. The latter was hacked in the past, so that all passwords were stolen. Adobe, LinkedIn, Yahoo and eBay are a few examples of cloud companies where very large amounts of passwords have been stolen. Nice overview condition here . Such a list of stolen passwords is used by malicious parties and will try to get into other Cloud services or company networks with this password.
Why is such a password hack often so successful? Because people have trouble remembering tens or sometimes hundreds of unique passwords and therefore use the same one over and over for different applications/cloud services. And hackers make good use of that.
3 tips What you can do about it
First of all, it is important to convince employees that it is crucial to choose a unique (and complex) password for each cloud service/application. a complex password helps against a password hack because apart from trying to log in with stolen account details, hackers also try automated with simple passwords
“Yes, but how do I remember them?”. The answer is to keep them in a good password manager. A kind of safe where all your unique passwords are stored. As a person you get access to this safe with 1 central password that you have to remember. The rest is in the safe, so you don't have to remember it. And yes, that one password is indeed important. It should be long and complex and not shared with others.
In addition, implementing multi-layered security for your corporate network and cloud services is essential. This is called “Multi or Two Factor Authentication” (MFA or 2FA). Once this is implemented, it is no longer enough just to know a username and password. You also need a code that is required when logging in. This will appear on your phone. So you don't just have to know something (username and password) but also have something (phone with the ever-changing code). This puts a huge barrier to these types of attacks. A password that has become known on the internet from a cloud service that has been hacked does not immediately pose a corporate security problem because of the implementation of MFA.
And of course you also turn on 2FA for the password manager/password manager I talked about above 😊.
How do we help you?
We implement the password system for your organization so that users can securely store their passwords in it. The nice thing about this solution is that in addition to the "company safe", a personal safe is also made available to employees so that they can also store their unique private passwords for Ziggo, Netflix and Coolblue, for example. If they leave the organization, the company passwords are left behind and they can take their private vault with personal passwords with them (and continue to use them afterwards).
In addition, we implement and manage the MFA solution for you. As mentioned, it can work with a code on the phone, but push notifications and fingerprint recognition are also possible. In this way, for a small fixed amount per month, you set a solid threshold for malicious parties.