For British businesses, is the password a past word

Observing the very real hacking threat businesses face and the methods that cyber criminals use begs the question – is the password a past word

Please enter your password a request that people are asked with increasing frequency nowadays as our work and personal lives migrate online.

Its an innocent enough exchange, invented by the Roman Army and translated into the digital world with the first computers in the 1960s, but one which is loaded with possible issues.

The problem is that, in the modern world, a single password is a gateway to an untold amount of confidential and contentious information. For this reason, nefarious individuals will do anything to steal them, knowing that most people use a single password across multiple logins.

The average Briton now has to remember 19 passwords. Faced with this daunting array it’s no surprise that many people double up or use weak, easy to remember alternatives. In the battle for headspace, the cats name often wins over a combination of uppercase, lowercase and numbers.

What does this mean for the UKs businesses The answer is increased risk.

Every single business, large or small, is now a target for cyber-criminals and you WILL get breached at some point. The latest statistics put the rate of breach at UK companies at around 93 per cent for large companies, and 87 per cent for small businesses.

Whilst high-profile organisations are at risk from sophisticated targeted attacks, smaller ones also hold highly valuable data such as banking information, password databases and other confidential information.

There are many ways to breach organisations, but at some point nearly all of them involve stealing a password. Access to a corporate network, the treasure trove of information for hackers, is typically reliant on a character set supposedly only known to the authorised individual, therefore it often becomes a game of cat and mouse to try and steal passwords.

Read on to discover the scenarios criminals are using to snatch passwords and data from businesses.

Image via Shutterstock.

Lets look at a few scenarios that criminals use to steal passwords:

1. Spear phishing

A targeted attack designed to steal access login credentials from a known target. Typically these present themselves in the form of a highly personalised email, which approaches the individual in a highly personalised manner.

For example, the criminal may have figured out that a particular sales team at a company they want to target uses Salesforce, and will send an email from Salesforce asking for each member of the team to login. The user clicks on the link, is redirected to a spoof login page, which collects usernames and passwords. Once they have these, the miscreants will often attempt to login to corporate networks and other access points using the same credentials. Two for the price of one.

2. Malware

Company laptops and networks are not as secure as many administrators like to think, and are vulnerable to installation of information stealing software despite anti-virus software being kept up to date.

There are many attack vectors which malware can use to install itself on corporate devices and once present, it’s an easy task to log the keystrokes of users, stealing their passwords and using them to login remotely to a variety of supposedly restricted services.

3. Brute forcing?

If access to corporate networks has a visible user login, you are a potential target for a brute force attack. These systematically cycle through combinations of letters and numbers until they effectively guess the password. Once username and passwords are compromised, they are often tried across a variety of associated accounts.

4. Social Human engineering

The least technically advanced, but often most effective form of password theft. Requiring no technical knowledge, the attacker will use old-fashioned cunning and guile to steal a password. Sometimes it’s as easy as phoning the person up, pretending to be an IT representative, and asking for the password directly!

Read more on security:

These are just some of the ways which passwords can be stolen, underlining how outmoded it is as a user authentication technique. In addition to this, is the significant threat from merely maintaining a database of usernames and passwords.

Any company that stores, in any format, databases such as this presents a ripe target for hackers, and is another reason why passwords should be banished from companies, both large and small. The recent string of high-profile mass password leaks and dumps from well-used web services is testament to this.

For this reason, organisations should look to ban the use of passwords and build more advanced methods of authenticating users into everyday practices.

Using advanced two-factor authentication, based on encryption and which doesnt rely on a password, significantly reduces exposure. In an age where every business is open to attack from continually advancing cybercrime techniques, surely it’s time your countermeasures were at least dragged into this century

Brian Spector is the CEO of security services provider Certivox.

Image via Shutterstock.

Share on social media

Link copied to clipboard.