Clive Taylor on protecting your business by prioritising password security

With so much publicity given to serious data breaches and the devastating effect a hacked password can have for individuals and businesses, the most recent report from the National Cyber Security Centre (NCSC) makes for worrying reading.

According to the report, 70% of people believe they will fall victim to a cybercrime within the next two years, while 23.3 million hacked accounts of victims worldwide used 123456 as the password, which is unlikely to take a sophisticated hacking app long to crack.

This disregard for strong password protection shows there is still a lack of understanding about the nature of modern hacking attacks, as the advice of security experts continues to fall on deaf ears.

Rather than manually testing a series of simple combinations in the hope of guessing your password, criminals are now using much more sophisticated methods to breach accounts, and it’s crucial that you stay one step ahead of the threat.

NCSC REPORT FINDINGS

Taking the lead on cyber security issues within the UK, the NCSC uses its own research and findings to deliver practical guidance to businesses of all sizes.

Responding quickly to security incidents and protecting companies from serious harm, the organisation draws on industry and academic expertise to improve security measures and safeguard public and private sector networks.

The report delivered by the NCSC is based on data compiled from telephone interviews and shows that 37% of respondents agreed that losing money or personal details over the internet has become unavoidable.

Ironically, the same report reveals a serious lack of concern when it comes to password security, with many individuals setting weak or predictable combinations that make it easy for hackers.

With freely available programs designed to run automatically and try millions of combinations, simply setting your password to ‘Pa55word’ will no longer suffice.

CREATING A STRONG PASSWORD

When it comes to protecting your data, information or money, the only way to make a long-term difference is by changing your attitude towards password security. Although it may sound straightforward, the first step is to stay away from obvious passwords that you’ve trusted in the past. This includes sequential numbers or letters, birthdays, and especially the word ‘password’

Not only will these be cracked in seconds, but hackers will recognise you probably use it for other accounts and target all your other password-protected assets. Instead, it’s important to make passwords longer, aiming for at least 15 characters where possible, using a combination of upper-case and lower-case letters, while throwing in numbers and symbols for good measure.

Alternatively, a word combo which uses a combination of random but memorable words, making it impossible for hackers to guess, can be extremely effective. An example of a word combo could be ‘FootballDogYellowRibbon’ – the more ridiculous, the better.

Another option is to use one of the many free password generator tools available from leading cyber-security organisations, which work locally on your computer with no risk of your choices being compromised.

SOPHISTICATED METHODS

Although changing your attitude towards password security is an important first step, that won’t necessarily help you spot an incoming threat or identify the points of attack.

The most common method used by hackers remains brute force which, despite its name, can be technically effective for those looking to breach an already weak security system.

Brute-force attacks will often use a password dictionary, that contains millions of words and numbers that can be tried in combinations to discover the correct password. This can take minutes, hours, days or even years – the program has enough patience.

Once a hacker has set the program running, passwords will be tried systematically, delivering a successful hack if the dictionary contains the correct password. Therefore, it is critical that steps are taken to create a complex password that contains more than one word.

INTERNAL THREATS

While outside hacking attacks can be difficult to prevent, there are other routes into secure networks and accounts, which typically involve the actions of individuals granting access.

Some cybercriminals will try to trick, intimidate or pressure an individual into giving them what they want, otherwise known as phishing, when attacks are personalised to target a specific organization.

Typically, the phishing email explains that a receiving bank account’s details have changed or there is something wrong with an account, prompting the recipient to click a link to resolve the issue

This link then leads to a fake website that has been carefully designed to look like a legitimate banking website, often duping unsuspecting users into entering their access details and password. A message will then inform the individual that the account cannot be accessed and they should retry in 10 minutes – just enough time for the criminals to empty your account.

This same approach is used regularly by cybercriminals targeting businesses, law firms, banks and anyone with valuable data or money moving through their accounts.

Brute-force attacks will often use a password dictionary, that contains millions of words and numbers that can be tried in combinations

SECURING THE FUTURE OF YOUR BUSINESS

Password protection is not a new security feature, but research shows that individuals and businesses are still not treating it seriously enough. Although it may be tempting to create a relatively straightforward password that is memorable and quick to type, hackers now have the power to test millions of combinations and breach your account within minutes.

Although opting to use a selection of upper-case and lower-case characters isn’t always efficient, doing so can help secure your account from would-be hackers.

Remember, cyberattacks are becoming more sophisticated over time, so it is important to regularly update your password and other security measures, ensuring you stay one step ahead of criminals.

If you’re unsure about the next steps, contact an experienced managed service provider and begin securing the future of your business.

Clive Taylor leads on Cyber security for managed IT services specialist Quiss Technology and is responsible for all aspects of system, network and device security. With more than 15 years’ experience in the sector, he also manages the firm’s partnerships with leading ethical hackers and security specialists to develop practical cyber-crime solutions, regardless of the sector in which clients operate. A regular commentator on the industry, technology and future practices, Taylor is respected for his ability to make difficult topics sound simple.