Steps to keep organizational credential safe

Dear Readers,

This week’s blog is about how organizations are being forced to move away from passwords. As our digital footprints grow day by day, maintaining passwords itself is a tedious job. To keep it easy, users employ single passwords across applications. Data breaches and hacks these exposed users across platforms and placed enterprises at risk. So, a more straight forward, more robust, user-friendly authentication method is the need of the hour. Passwordless helps to accurately verify the user’s identity and eliminate the risk of compromised credentials.

Today, organizations are moving towards passwordless authentication, using advancedtechnologies such as biometric signatures, hardware tokens, cryptographic keys, or PINS to verify users.

The use of multi-factor authentication is vital, as it ensures that information is only accessed by the intended person, making it harder for cybercriminals to steal. If user data is less
tempting, cyber thieves will go for a different one. Multi-factor authentication is a blend of two different factors. One is usually the username and password, which is something the user knows.

Steps to keep organizational credential safe

Ambimat Electronics, with its experience of over forty years, desires to draw the attention of its readers and potential customers towards this blog post about their new product called AmbiSecure key and how it will benefit us.

Stolen corporate credentials are often put up for sale on the dark web. The asking price of such credential depend on several factors, one of them being the revenue generated by the corporation. On the other hand, a ransomware attack can fetch cybercriminals a staggering amount in ransom.

The implication of corporate credentials exposed on the dark web is not just limited to financial loss. With cybercriminals gaining easy access to organizational login details, damaged reputation, loss of intellectual property, and increased insurance premiums follows as well.

Fortunately, there are methods that corporates can adopt to prevent their credentials from landing up for auction on the dark web. Follow the below six steps to ensure that organizational credentials remain secure.

1) Use unique passwords for applications and systems

If passwords are still in use, it is vital for organization to educate its employees to use different passwords for different application, systems, and accounts.

For decades, corporates have been advised by cybersecurity professional the importance of strong and unique passwords. Sadly, even with warnings, reusing password still remains a common practice. A survey conducted by LastPass1 showed that an average employee is likely to use the same password about 13 times. Even worse, these passwords tend to be weak and compromised easily.
Another breach report by SpyCloud showed that employee of large corporation used passwords, such as “123456”, “password”, or the name of the company they work for.

The foremost thing organization can do is have a stricter policy in respect to using “bad password”. To get a better picture on which password should be restricted, organizations can refer to NordPass “Top 200 most common password in 2020”.

In most scenarios, employees who are expected to maintain too many passwords and having each a unique one and still remember them is not exactly a reality. In this situation, organization should enable password mangers for both personal and professional use. This will tremendously reduce the likelihood of employees reusing the same password across multiple devices and applications. Moreover, 73% of workers3 duplicate their password across corporate network and personal accounts, making it easy for hackers to gain access to them. Therefore, having this approach is very critical.

2) Change passwords regularly

Even while maintaining a systematic approach to secure passwords, they can appear on the dark web. It is noted that at least one data breach is experienced by 53% of organizations as a result of compromised credentials.

Companies should form a policy for its employees to change their passwords frequently — every few months. Such a habit will ensure that credentials appearing on the dark web doesnot remain fresh, and cybercriminals can no longer use it.

3) Use Multi-factor authentication

Enabling multi-factor authentication can reduce and block account takeovers.

By adding an additional layer of protection over and above traditional password, multifactor authentication makes it difficult for hackers to impersonate someone to gain access to accounts. Even if a pernicious being manages to get hold of a user password, they won’t be able to log in to their corporate network as MFA is enabled.

Although MFA does provide protection, but not all MFA are built equal, especially SMS MFA. Hackers have sophisticated tools that can be used to spoof, intercept, and phish short message service (SMS).

4) Educate Employees on Safety Awareness

Human error is the root for cybersecurity repercussion. This is why employees are often considered the weakest link in a company’s security landscape. Employees are tricked into revealing their credentials and organizational details through phishing scams.

To mitigate risk, it is crucial to educate employees on how to recognize threats. Apart from lectures, other method should be used to make training effective. Many employees have become victims of phishing attacks because of legitimate looking emails. Therefore, employees should be familiarized with real-world phishing attacks and other passwords hacks to protect themselves better.

Hackers can avail all the information they require through social media accounts by crafting a legitimate looking email. Hence, employees should also be trained in managing their social
media accounts and virtual private network (VPN) when working remotely. Oversharing information online should also be discouraged.

5) Monitor the dark web

There are tools available for organization to use if they suspect that their credentials are exposed on the dark web. Many of such tools are free and can perform dark web scan to check if organization’s asset is in danger or not.

Data breaches are recurring thing and therefore, scanning the dark web frequently is considered a best practice. Organization can save time by investing in dark web monitoring software.

As the name implies, the monitoring system can scan the dark web on its own. It provides alert if any credentials are up for auction that belongs to the organization. Such alerts are useful in preparing to combat such threats before sensitive credentials are used maliciously.

6) Go passwordless

With breaches happening due to compromised credentials, it is no longer safe to rely on passwords. For this particular reason, many organizations are shifting towards newer technologies for authentication — passwordless authentication.

Because users do not require to enter passwords or any other secrets to access their accounts is the sole reason passwordless is more secure — if there are no passwords, thenthere is nothing to steal. Users can prove their identity with the use of hardware security keys or biometrics, such as a fingerprint (high-level security).

As passwords are annoying, need to be memorized, or frequently changed, many users find it overwhelming. Passwordless authentication does not only improve the overall security landscape, but it also provides a seamless user experience. With this in mind corporates are now in the verge to eliminate passwords.

Passwordless authentication is cost-effective, as it tends to lower organizational cost incurred due to password reset calls to the IT department. It also provides a better visibility over identity and access management (IAM).

So, there you have it the top six methods by which organization can prevent their credential from appearing on the dark web and reduce accounts takeovers and ransomware.

Protect corporate credentials with AmbiSecure

FIDO2 is a standard that simplifies and secures user authentication. It uses public-key cryptography to protect from phishing attacks and is the only phishing-proof factor available. Corporations around the world and across many sectors, including healthcare, can benefit from Fast Identity Online or Fast ID Online (FIDO) authentication, which their employees and users can use to minimize security risks, and improve overall user experience. The AmbiSecure key and card is FIDO certified which offers superior security by combining hardware-based authentication and public key cryptography to effectively defend against phishing attacks and eliminate account takeovers.

AmbiSecure helps organizations accelerate to a password-less future by providing FIDO2 protocol support. Not only does FIDO2 supports two-factor authentication, but also paves the way for eliminating weak password authentication, with strong single-factor (passwordless) hardware-based authentication. The AmbiSecure provides a simple and intuitive authentication experience that users find easy to use, ensuring rapid adoption and organizational security. Ambisecure key or card does not require a battery or network connectivity, making authentication always accessible.

References:

https://www.lastpass.com/state-of-the-password/global-password-security-report-2019
https://nordpass.com/most-common-passwords-list/
https://securityboulevard.com/2020/06/automation-in-compliance-why-its-a-business-imperative-and-where-to-start/
https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/

Perils to circumvent when shifting to passwordless technology
Steps to go passwordless