Passwords are still a popular target for hackers. While small password hacks that go unnoticed, they can still have a catastrophic effect. Take for example this year’s Yahoo password leak that compromised more than 500 million accounts, and affected the likes of Dropbox, LinkedIn, KFC, the Office of Personnel Management and many more.
Though Yahoo’s two-year-old hack may seem minor, there are two challenges with consumer security awareness — or lack of security awareness — that IT professionals need to take into account. First, most consumer websites don’t require frequent password changes because the process of changing a password is often arduous, and turns consumers off, especially when past passwords are automatically disqualified.
Some sites have embraced new techniques, like using a mobile phone to sign-in, however this alters the way that most consumers are accustomed to signing in and creates more confusion and friction.
Second, and perhaps more crucial, as passwords have become adopted across services, users are reusing passwords across both consumer and business services.
It is a user’s static password, and password reuse, that are the real threats to enterprise security. Once a hacker has control of a user’s account, finding out which company they work for isn’t difficult. The link exists in social media accounts and in their email inbox.
Once an individual’s business email is identified, that enterprise is now at risk of malicious attacks, such as a spear-phishing, data breach, or DDoS attack. Thanks to content found in the user’s consumer inbox, it’s possible to craft personalized, targeted emails to fool co-workers into sharing sensitive data or information. With the increased adoption of enterprise cloud-based applications and services (think Gmail, Office 365, Salesforce, Good Drive, etc.) simply having access to business email and a reused, static password can give hackers everything they need to breach an enterprise’s defenses.
Enterprises should start embracing the following in order to protect themselves from an account takeover or data breach:
Employ multi-factor authentication for all business web services
By ensuring that every login from a new device gets approved by a second factor (i.e. phone, pin-code, email), enterprises can prevent account takeover from a reused, phished, or otherwise exposed password. Many services embrace this tactic for their own users, especially after they are made aware of a potential hack.
Include biometrics if possible
Relying on your employees to remember numerous, complex passwords can be dangerous (think of the sticky notes taped to a computer with passwords on them). However, it is far more difficult to steal, or hack, a biometric sign-on. These can vary from finger scans, heart rate monitors, or — similar to what Uber is doing right now — snapping a selfie for facial recognition.
Utilize tools already on hand
Near Field Communications (NFC) and Bluetooth Low Energy (BLE) are also being considered as password alternatives. Thanks to the latest smartphone technologies, enterprise employees can use their devices as keys to grant them access to the network, or devices, they need.
Restrict enterprise cloud services access
Many cloud services let organizations restrict access to specific IP addresses, which can be highly effective as long as it’s not too inconvenient to limit employees to a narrow range of internet access points. While this works well for fixed locations, it doesn’t work well for mobile enterprises whose users have multiple IP addresses that change often. Cloud-based networks can help establish a secure gateway to public cloud services for both fixed locations and mobile users.
Protect your users against phishing and malware sites
By using a URL filtering solution, enterprises can stop employees from accessing and sharing information on risky sites. Many organizations prevent access to unclassified sites, or new sites with an unknown reputation, as ways to decrease the likelihood of exposure. This same type of diligence can also extend to cloud-based email filters that delete dangerous content before it makes its way into users’ inboxes, typically with a high degree of accuracy.
Train your employees
No matter how many protection layers exist in an enterprise, the company is only as secure as its employees using that technology. Therefore, first and foremost, enterprises should teach their employees about the risks associated with opening up emails from suspicious sources, and train them on how to look for bad links and attachments.
Over the course of the next five years, 69 percent of IT decision makers are aiming to dispense with traditional passwords. Until then, enterprises will need to protect their organizations.
By using these tactics, or even others not listed (for example, some services use one-time passwords for every login, or even have one device registered per account), enterprises will be able to keep their data secure until there is a more secure alternative to passwords.