The media is choke full of reports on a huge Yahoo password leak: 500 million compromised account passwords were hacked nearly 2 years ago. The list of hacked services includes Dropbox, Linkedin, Experian, Anthem, the Office of Personnel Management and many more.
A 2-year old password hack may seem minor to IT security professionals. After all, these passwords are used for consumer services and you typically change your password from time to time. Well, not so fast. There are two challenges with consumer security awareness (or lack thereof): static passwords and password reuse. First, most services do not require a password change because the process can be a pain, especially when a user is prevented from reusing an old password. Newer techniques, like using a phone to sign in, alter the way most consumers are used to signing in, creating even more confusion and friction. Second, and even more critical, with password explosion across services, users tend to utilize the same password across both consumer and business services.
Static passwords and password reuse create a real threat to enterprises. Associating a user with the company they work for isn’t that difficult. This link exists in social media accounts and even in the mail inbox of a hacked service. Figuring out the email convention of most businesses is a matter of minor research or simple trial and error. Once a business email is identified, the enterprise is at risk of spear-phishing and data breach. Through correspondence found in a consumer mailbox, it is possible to craft targeted phishing emails to colleagues based on shared past experiences. And, with the increased use of cloud-based email services for business (i.e Gmail) and the migration of mission-critical applications to the cloud (Office365, Salesforce, Box and many more) the combination of business email and a reused password can lead to a breach.
Protect Your Business from Data Breach driven by Hacked Passwords
Enterprises should take precautions against account takeover and data breach from compromised passwords:
Use multi-factor authentication on all business web services
This feature ensures that a login from a new device gets approved through a second factor (i.e. the employee’s phone). This will prevent account takeover from a reused, phished or otherwise stolen password. It seems that hacked services enable multi-factor authentication on their own service, often after a hack is discovered.
Restrict access to enterprise cloud services
Many cloud services allows organizations to restrict access to specific IP addresses. This works well for fixed locations, but doesn’t work for mobile users with IP addresses that change often. A cloud network solution can ensure all access to business cloud services from all users and locations, which can then flow through specific IPs.
Protect against phishing and malware sites
If your user does get a phishing email, a URL filtering solution can help with stopping them from getting into a risky site. Some organizations prevent access to unclassified sites or new sites with an unknown reputation as a way to decrease exposure.
Educate your employees
Employees must be trained on the risk of emails from suspicious sources and how to look for signs of bad links and attachments before clicking on them.
The Way Forward: password elimination
The likelihood of continued password leaks are very high. We should gradually move towards eliminating passwords altogether. Some services now use one-time passwords for every login. Others use the user’s phone to authorize sign-in. And the even stronger process is to require device registration for every new device, specifically binding the device to the account. Whatever the method is, the days of “the password” are numbered.