Hacking of login credentials has gone from a few guessed or stolen passwords here and there to a major criminal enterprise. Password stealing malware is used to compromise large databases of login credentials and credential stuffing software is then employed to systematically try these large lists of stolen logins to breach company networks.
In a 2020 data breach investigations report by Verizon, two findings showed that credential hacking is only getting worse:
- The #2 most used attack method in data breaches is credential theft
- The #1 type of malware used in data breaches has become password dumpers
Surpassing even ransomware as the most dangerous malware for data breaches, password dumpers are typically introduced via phishing emails and once in a system, they seek out any password databases they can find and “dump” the stolen information back to the hacker. Why has password theft become so prevalent?
Because it’s a tactic that can often get a cybercriminal past normal IT security safeguards. If a hacker has a legitimate user password, in many cases they can gain access to all types of system information and resources without being detected. The average cost of a data breach for Singapore businesses is S$1.7M.
Credential theft is one of the biggest problems that Singapore small businesses face, but if you take the right steps to protect your business account logins, you can greatly reduce the risk of having a user password hacked.
Focus on Users & Systems to Stop Account Password Breaches
You want to take a two-pronged approach to safeguard the login credentials your employees use. This includes focusing both on password habits and automated systems that can stop credential stuffing attacks by hackers. We’ll go through several tactics below that take both users and systems into account.
Enforce Good Password Habits
Poor password habits make it easy for hackers to gain access to your company accounts. In a user behavior survey, it was found that 39% of users reuse their passwords across work accounts and 51% share their passwords with colleagues. Say a user has reused a password that they use for an online shopping site for their login to the company’s cloud services. If that shopping site has a data breach and passwords are stolen, that database could give them a key to entry into your business systems. You want to enforce good password habits, including:
- Not reusing passwords
- Using passwords that are at least 10 characters in length
- Making passwords a combination of letters, numbers, and symbols
- Not sharing passwords
Use a Password Management Application
Why do people fall into bad password habits? Because they have far too many passwords to remember on a daily basis. Between personal and work logins, a person can’t possibly remember unique, strong passwords for all those accounts. By getting a business account for a password management application, you can solve the problem by having to remember passwords and using ones that are too weak. Password managers will suggest strong passwords for logins and keep them all stored securely in a password vault. Users only have to remember one single strong password to access all the others.
Use Multi-Factor Authentication (MFA)
Multi-factor authentication, also known as two-factor authentication, is one of your best safeguards against credential hacking. Even if a hacker has a stolen login, they can’t gain entry to an account if they’re not able to get past the MFA prompt. When MFA is used, a PIN code is sent to a user’s device and that code has to be entered to complete the login. How effective is MFA? According to Microsoft, you can prevent 99.9% of attacks on your accounts using MFA.
Consider a Cloud Access Security Broker (CASB)
Most credential hacks are happening in cloud accounts because that’s where most businesses have moved their data. The cloud is now used widely for all types of business processes, and a single login is often the only thing protecting thousands of files of data. CASB software, like Microsoft Cloud App Security, allows you to control the security of several different 3rdparty cloud applications. It can apply standard compliance and security policies across cloud apps and give you visibility into who is logging in so you can stop fraudulent sign-ins. For example, you could set up a security policy that asks a challenge question if someone is logging in from an unknown IP address. You can also automatically block a login based upon their answer to that challenge question. CASBs also give you important reporting capabilities that allow you to see how your business cloud apps are being used and whether they’re experiencing account hacking attempts.
Schedule a Free IT Security Consult with Managed IT Asia
How secure are your account logins? Are your users adopting bad password habits that leave your data at risk? Get a free IT security consult to keep your business protected! Contact us today to schedule your free consultation. Call +65 6748 8776 or reach us online.
MANAGED IT ASIA, we are an IT Support, IT Solutioning and Managed IT Service Provider specializing in serving Small Businesses across Asia. Call us at +65 6748 8776 and let us manage your Small Business IT today!