Businesses of all kinds need to keep their data safe from the threat of illicit access. In recent years, data breaches such as the ones that hit Target and JP Morgan have exposed millions to the threat of identity theft and caused millions of dollars of damage to businesses and financial institutions alike.
This is why many companies invest heavily in IT security. These companies buy the latest hardware, the best encryption, and the strongest antivirus programs, as well as tightly managing the security of the physical hardware that holds their information.
However, one weak point of any data security system, no matter how robust, is the legitimate, password-protected access point made for authorized users. If a hacker can get your username and password, then they can log into your system and access all of the information and system controls that would normally be available to you. This could result in considerable financial harm to your business.
Despite this fact, many people tend to make some very basic mistakes that make their passwords more vulnerable to attack. Knowing what these mistakes are is the first step in avoiding them and improving your company’s IT security:
Mistake #1: Using Personally-Identifiable Information for Your Password
Here’s a mistake that made CNN’s list of major password mistakes. Many people have trouble remembering a randomized string of alphanumeric characters, so they tend to pick a password that’s easy to remember.
One way that people do this is to use some personal factoid for their password, such as their name, date of birth, Social Security Number, etc. Unfortunately, this tends to make for a very weak, easy-to-guess password.
People often give away such information on a Facebook post or in an application for a loan. Dedicated hackers will track down this information, and use it in their attempts to guess your passwords.
Mistake #2: Using Simple Sequences
Once again, the urge to create an easy-to-remember password makes for a very weak password. All too often, a person will use a very simple string of letters or numbers such as:
Just to name a few of the simple sequences people use too much. While easy to remember without having to give yourself a password hint, they’re also very easy to guess. Thankfully, most business software will reject such a weak password.
Mistake #3: Putting the Password in the PW Hint
Many password systems have a hint option to provide a clue that is supposed to help users remember what password they used. Unfortunately, sometimes one of your business’ workers with access to your computers will not just put a hint here, but their entire password.
Disabling hints can help prevent this, as can establishing clear guidelines for password protection.
Mistake #4: Password Sharing
Even when a password is a very strong, random combination of uppercase & lowercase letters, numbers, and symbols with no rhyme or reason, the strength of the password will be wasted if the employee shares that password with others.
Sharing account information of any kind is an almost sure-fire way to compromise an account’s security. Once again, your best option is to make sure that employees understand basic password protection measures so that they don’t share their passwords with others.
Mistake #5: Not Removing Ex-Employees’ Passwords from the System
Terminating an employee is a hassle at best, and downright unpleasant at worst. However, no matter the circumstances surrounding the end of an employee’s working relationship with the company, it is imperative that the terminated employee’s access to the system is revoked ASAP.
Even when the termination of employment is carried out amicably, leaving an ex-employee with an account and password that can access your system is an unacceptable risk. The chance that their account information might be leaked is simply too high to take on that risk.
The Impact of a Password Being Broken
The password mistakes listed above all carry the risk of allowing a hacker to break your company’s system password, giving them full user access and creating a data breach.
The amount of harm that this can cause can vary based on several factors, such as:
- The level of access the hacked account had.
- How long the breach goes undetected.
- The nature of any information accessed.
- Whether or not the hacker uploads malware into your system to further compromise it.
- The strength of your internal system security (firewalls, extra authentication tokens for access to specific systems, antivirus software, etc.).
An example of the damage that a data breach can cause would be the Target data breach. A New York Times article from earlier this year highlights that “hackers had stolen credit and debit card information for 40 million of [Target’s] customers… additional personal information, like email and mailing addresses, had been stolen from 70 million to 110 million people.” The preliminary $10 million settlement mentioned in the article was possibly the least of the company’s damages.
What was lost here wasn’t just money or information, but consumer trust, which cost the company heavily in the year following the data breach as shoppers shunned the retail giant. According to figures cited in a Tech Crunch article, Target “booked $162 million in expenses across 2013 and 2014 related to its data breach.”
Minimizing the Risk of a Password-Related Data Breach
With the above in mind, what can businesses and financial institutions do to minimize the risk of their passwords being broken?
A few basic measures include:
- Using Strong Passwords. Making sure that everyone who has a password to access your system uses only strong passwords that use a combination of random capitalization, numbers mixed in with letters, and symbols such as #, %, $, ^, and * in them is a vital first step in avoiding a data breach.
- Use Authentication Tokens. Another step that businesses can take to establish randomly-generated authentication tokens for users when they log into the system. For example, a system that texts a 6-digit code to a user’s cell phone when they login essentially creates an ever-changing second password that makes an account much harder to crack.
- Restrict Access if Incorrect Passwords Are Entered Too Many Times. This is something that many businesses do nowadays. When incorrect passwords are entered for an account too many times, that account’s access gets restricted for a set period of time. This helps keep automated password-guessing programs from just making a brute-force attempt to crack a password with millions of repeated tries.
- Use Strong Internal System Security with Multiple Firewalls. If the worst happens and a hacker gets access to a user account on your system, using strong internal firewalls to restrict access to sensitive information can help limit the impact of such a breach.
- For example, WHOA.com’s cloud solutions have both per-tenant and host-based firewalls by default to protect systems from attacks that penetrate the perimeter or originate from an inside source.
While no system will be 100% proof against all forms of attack, knowing the biggest risks and taking some basic precautions can help limit the risk and impact of a breach.
Need a secure cloud solution? Get started with WHOA.com today!