In case it slipped your mind, October is Cybersecurity Awareness Month. Conveniently located between the relaxing days of summer and the crazy weeks of holidays and end-of-year preparations, Cybersecurity Awareness Month gives you the chance to diligently assess your existing security situation, identify gaps, and build them into your plan and budget for the upcoming year. Let’s look at a few key areas we see that cause companies problems.
Account login information has been and continues to be one of the biggest attack vectors for criminals. Brute force attack – as computing power increases each year, attackers make many more password guesses per second. The longer and more complex the password, the more time it takes to crack. The downside is that humans aren’t good at remembering complex, random strings of numbers, letters, and symbols, so we can only increase password complexity so far, but lists of compromised passwords continue to show the majority of passwords in use aren’t complex.
Even if a password looks complex, it might not be. One somewhat popular password is ji32k7au4a83. Even though it looks complex to us, it isn’t. For users typing in Chinese on standard keyboards, they need to enter a three-digit code to create a Chinese character. ji3-2k7-au4-a83 converts into the Chinese equivalent of “my password”.
Reusing passwords – when faced with dozens of logins, each requiring a complex password, users are tempted to use the same password on multiple sites. Once an attacker has a valid password for one site, they quickly test that login against every important website they can. When passwords are shared, they have access.
We’ve seen this happen several times with significant consequences. An employee was using their work email and password on a site for personal use and that site was compromised. The attackers then used that login to gain access to the employee’s Office365 account. While searching the employee’s email archive, the attackers found the login information for the website hosting service the company used. The attackers quickly changed the ownership of the DNS and web hosting, rerouted all traffic to their servers, and demanded a ransom. Not only was the website down but so was all email. It took several weeks working with internet domain registrars to return ownership of the domain name to the company.
This is another example of why using multifactor authentication is critical. If this company had set up MFA with its web hosting provider, even if the attackers had gained the username and password, MFA would have prevented them from successfully logging in and making changes.
Although it may seem like yesterday’s news, ransomware continues to haunt companies large and small. Just ask MGM Resorts. In September, a ransomware attack crippled operations. Not only were websites down, but hotel room keycards and even slot machines were offline. In addition to disrupting operations, the attackers were also able to steal customer information including date of birth, driver’s license, and passport information.
Ransomware attacks exploit the weakest link in every company’s IT infrastructure: the people. In fact, 90% of cyberattacks use phishing as part of the attack. Whether it’s convincing employees to click on a link or convincing them to divulge information over the phone, if you aren’t training your employees to guard against phishing attacks you are failing to address the largest security risk your business faces.
Steps for a safer 2024
As we head into planning and budgeting season for 2024, now is the time to do some security soul-searching. To know how much you should be investing in security next year, you should spend some
time looking into these areas:
- Passwords. Are they complex? Are they being reused across multiple sites? Do employees have access to password managers, and do they know how to use them?
- Multi-factor authentication. Do you have it enabled on key services like Office365? Do you have it enabled for less used but equally important services like your DNS and web hosting?
- Employee-training. Are employees regularly taught about the latest threats and what to be on the lookout for? Do they know how to report suspicious behavior?
Now is the time to perform a security audit to gauge your level of preparation. It costs a lot less to prepare against a future attack than to respond to an attack already underway. Just ask Las Vegas.