The nature of the threat landscape posed by cybercriminals to organisations is far from static, and both the techniques employed by attackers and the methods used to defeat them are continually evolving. As a result, some of the advice given to organisations on how best to secure their data is often outdated or misconceived. Here are four cybersecurity myths that are still persistent today.
Mitigating the weaknesses of password-based authentication is one of the biggest cybersecurity challenges faced by organisations, with credentials a factor in over half of successful data breaches. Weak and reused passwords are insecure practices that make the job of cybercriminals easier, and as a result, many businesses employ corporate password policies, requiring employees to use credentials which are strong and unique for each application.
However, with the average employee using 36 cloud-based services to do their job, corporate password policies as a whole have a significant and fundamental problem – the inability of end users to actually carry them out. Password policies which rely on end-user adherence are inherently broken, and thus without a technological solution to enforce them, their security benefits will be severely limited.
Organisations are increasingly turning to technological solutions to solve the problem, investing in solutions such as enterprise password managers which can provide password policy enforcement and ensure corporate password policies offer effective protection against cyberattacks. This is achieved by removing password management from the hands of users, and generating strong, random passwords that comply with the corporate password policy, with some solutions even automating password updates for third-party applications, removing human limitations on the security of password-based authentication.
According to Verizon’s 2021 Data Breach Investigation Report, 85% of data breaches involved a human element. As a result, many organisations respond by prioritising cybersecurity training for employees, seeing users as the frontline of defence against cyberattacks.
However, research from My1Login discovered that training has a limited impact on end-user behaviour. While 91% of users with no training reused passwords, among users who had received training, the figure remained high at 85%. For other behaviours, there was no difference at all, with 52% of employees writing down passwords, regardless of whether they had received training or not.
Ultimately, employees do not practice insecure behaviours with passwords to intentionally put the business at risk. Storing credentials insecurely, reusing them, and making passwords short and easy to remember are all done for the same reason – memorising dozens, or even hundreds, of unique passwords is impractical. Instead, a number of organisations solve this problem by investing in a technological solution such as Single Sign-On, taking the responsibility for creating, managing and entering passwords away from end-users to ensure they are not the weak link in the organisation’s cyber security defences.
Multi-Factor Authentication has become one of the most popular methods for preventing unauthorised access to corporate applications. By requiring additional factors of authentication such as an out-of-band device or biometrics to access applications, cybercriminals cannot gain access to corporate applications with credentials alone, making data breaches far less likely to occur.
However, while MFA is undoubtedly an effective tool for preventing cybercrime, it is not a panacea and can require complimentary technology to maximise its effectiveness. MFA can introduce significant end-user friction, or may not be implemented in a secure manner – for example, by using unencrypted SMS codes. A particular problem is Shadow IT – the use of applications without the knowledge or oversight of IT departments is on average ten times greater than known cloud usage, according to McAfee.
If IT departments are unaware of applications being used to process or store corporate data, they cannot enforce MFA to protect them, and cybercriminals need only obtain the user’s credentials to gain unauthorised access. The problem of Shadow IT can even be exacerbated by MFA, as employees may use other applications to avoid the end-user friction which MFA introduces, or to avoid the lengthy process of acquiring a new device if the one used for MFA is lost, stolen, or damaged.
To ensure that MFA achieves its full potential to prevent unauthorised access and gain the maximum return on their investment, many organisations employ an Identity and Access Management (IAM) solution. IAM solutions can detect all applications in use by employees and inform IT, enabling these applications to be given consideration by IT, who can then ensure MFA is enforced on apps where corporate data is being stored or processed.
Mandating password expiry is a common feature in some organisations’ password policies. Requiring employees to change passwords, typically every three months, aims to combat the threat of credential theft, where usernames and passwords compromised in data breaches can be reused to gain access to other accounts.
However, changing credentials regularly is ultimately an ineffective way to strengthen password-based authentication systems due to its inherent impracticality. With the average person having over 100 passwords, the task of memorising credentials is already a difficult one – if users are also required to change them regularly, it becomes almost impossible.
Such a policy is not only difficult to enforce, but also drives users to insecure behaviour such as reusing passwords and storing them insecurely. Changing passwords also typically leads to the creation of weak passwords, with users frequently using predictable patterns which are well-known to cybercriminals, such as adding incremental numbers. As a result, the UK’s National Cyber Security Centre has stated that “regular password changing harms rather than improves security.”
To solve this problem, organisations are increasingly turning to technological solutions to automate the creation of strong and unique passwords, preventing credential-stuffing attacks. An enterprise password manager can automatically generate, vault and enter credentials for employees, and ensure password policies to be enforced centrally rather than any reliance on end user adherence.
Find out more on the 10 features to look for in an enterprise password manager.