How is your business protecting the credentials for your applications?
Credentials are often stolen through fake login portals or compromised databases on popular websites. Attackers target retail sites, business communication platforms, and insurance portals, all of which are rich in personal information.
So, how do these breaches affect your business?
Studies suggest that most people reuse the same password across multiple platforms. This practice enables attackers to employ a method called “Credential Stuffing,” where they use captured credentials to gain access to other common platforms such as banking, business email, and remote access gateways.
Essential Tactics for Defence
1. Minimise Password Re-use
An effective way to minimise password re-use is to use a password manager. A password manager allows you to randomly generate strong, complex passwords that are unique for every platform. The manager then auto-fills your credentials for you, so you don’t need to remember which complex password was used on each site or application. Browser plugins and mobile apps are available to make this a seamless experience. Additionally, password managers enable you to securely share company passwords with employees, with an audit log feature that allows you to reset the credentials as employees exit the business.
2. Use Multi-factor Authentication
Multi-factor authentication (MFA) is an excellent way to slow down attackers. It combines something you know (username and password) with something you have (a mobile phone). This requires you to enter a code or accept a push notification on your phone in addition to your password to log in. MFA should be used on every platform that supports it, especially those that contain sensitive information.
3. Phishing Tests & User Awareness Training
Fake and illegitimate phishing emails are becoming more sophisticated, making it increasingly difficult to distinguish between fake and legitimate emails. It’s crucial to train your employees on what to look for. Regularly conducting cyber awareness training, followed by simulated phishing campaigns, is recommended to test your employees and ensure they can identify and avoid malicious emails, links, and forms. This is increasingly becoming mandatory for cyber insurance compliance.
4. Dark Web Monitoring
Data breaches often result in sensitive information being leaked and sold on the dark web. Attackers use automated bots to exploit this leaked data to infiltrate as many systems as possible. In the past year, there have been significant data breaches affecting major platforms like Medibank, Optus, Latitude, and Canva. The larger the platform, the bigger the target.
By automatically scraping the dark web for any credentials related to your business domain name, you can receive notifications when they are found. This enables you to change your credentials promptly and ensure they are not being reused across other platforms.
In Summary
Cyber security is an ever-evolving threat that can be challenging to stay ahead of, but employing some basic principles greatly reduces the attack surface of your business. By minimising password reuse, using multi-factor authentication, conducting phishing tests and user awareness training, and monitoring the dark web, you can significantly enhance your business’s defences against cyber threats.