In 2020, the three most used passwords were ‘123456’, ‘123456789’ and ‘picture1’. If the password is easy for you to remember, it would take a seasoned hacker only sheer seconds to crack it.
This is compounded by the fact that most cybercriminals now rely on sophisticated tools for hacking – according to recent studies, a computer can guess more than 100,000,000,000 passwords per second. Weak or stolen passwords is a root cause of many corporate cyberattacks that resulted in grave financial and reputational costs to enterprises globally.
Passwords are the first line of defence for any endpoint and once it is compromised, it could potentially expose hundreds and thousands of devices in your network to a plethora of detrimental cyber risks. One common way cybercriminals would attempt to carry out such attacks is through brute force attacks, also known as credential-stuffing attacks.
These hackers attempt to compromise and bypass vulnerable servers and endpoints by inputting as many passwords as possible, typically with the help of bots. Often, these attacks turn out to be successful due to the sheer number of systems that utilise default credentials or passwords that are extremely common.
Remote Desktop Protocol attacks are also increasingly common and can also be carried out in a similar fashion, with hackers attempting to crack passwords to remotely gain control of internet-facing endpoints.
In a distributed work environment, many enterprises use remote desktop protocols to manage and access remote systems and devices but fail to deploy sufficient security and data protection measures to guard against malware.
Once hackers obtain these login details, they can move laterally within the system to gain access to highly sensitive and confidential data and attack previously compromised endpoints.
Why passwords remain vulnerable
The fact remains that despite the digital advancements we’ve witnessed over the last decade, passwords are still deployed in multi-factor or two-factor authentication methods, providing malicious actors the apparatus to hijack networks and systems.
In the new hybrid working environment accelerated by the global pandemic, employees were given mobility solutions and remote access to data and applications to minimise work disruptions. Passwords are the bedrock of user authentication, and at the heart of passwords is its ability to protect data. Employees who are working remotely are easy conduits to corporate resources and those with weak password hygiene will further expose the companies to greater data risks.
As more data is being generated anywhere – from data centres to the cloud or the edge – businesses need to reconsider the risks that comes with this data deluge, such as regulation, cyber security risks, and data governance – to regain control of their data. This means that other forms of data protection solutions that can protect against leading threats like ransomware are needed.
Traditional data protection and management strategies should evolve to include a unified and proactive approach to support a data-driven recovery. The data management strategies adopted by any business must also address any resiliency gaps and protect invaluable data assets in this ever-changing threat landscape.
Businesses can consider cultivating a strategic mindset for data management using these five key steps:
- Classifying data to understand what it is, where it is located and whether it is valuable or not
- Protecting data, immutably and at scale
- Detecting threats and enabling proactive monitoring
- Mitigating the impact of an attack by responding immediately with remediation tools
- Restoring data quickly and seamlessly, to ensure data and applications are always available to meet operational and regulatory requirements
Cultivate good password hygiene
According to recent research, in spite of any reprimands that they might have received for misuse, 75% of employees in Singapore (79% globally) would still share sensitive business information (such as corporate passwords or client details) again in the future.
It is vital for businesses to educate their employees on good password hygiene as their behaviours and actions have far wider consequences than they would realise:
- Using robust passwords is the first step – be it for personal or professional use. It is best to have a password with a mix of alphanumeric letters topped with one or two uppercase and lower characters as well as a symbol
- Deploying a password manager and activating multi-factor or two-factor authentication where available to reduce confusion and prevent bad threat actors from infecting your systems with malware
- Users should also avoid using the same password across different accounts because once the password is being compromised, it renders them vulnerable to multiple breaches as well.
- Users should not share their passwords with anyone – this exposes them to the risk of advanced social engineering that is growing more rampant than ever in today’s cyber threat landscape
The future of passwords
In an ideal scenario where all employees adhere to strict regulations and use strong passwords; human error is still likely to prevail as hackers become bolder and more creative in social engineering and phishing, tricking employees into revealing their passwords.
Therefore, it pays to consider a password-less authentication to remove associated risks while making it more seamless for end-users. Enterprises can benefit from frontier technologies such as biometric authentication to further reduce the risk of attacks from any endpoint within the organisation.
Nonetheless, even with the sheer number of technological advancements that exist today, companies must be mindful that the best way to safeguard themselves from cybersecurity threats is to always ensure that their data is both backed up and encrypted.
In the new hybrid working world, deploying multi-layered data protection strategies – good password hygiene integrated with a robust data backup strategy – will serve to ensure that your data will remain protected even as cybercriminals hunt for their next great data exploit.
Andy Ng is Vice President and Managing Director for Asia South and Pacific region at Veritas Technologies