The Cloud Security Alliance (CSA) recently found that compromised login credentials caused nearly a quarter of all data breaches.
In their study, CSA asked companies if they had ever experienced a data breach and 17% said yes. Of those that had suffered from a data breach, 22% said it was directly caused by compromised credentials. Most of the companies surveyed, even those that had not suffered from a breach, are worried about the possibility of future attacks due to compromised credentials. 65% of respondents said that the likelihood of a future data breach is medium to high.
Surprisingly, it was found that the companies who experienced a data breach had little difference in their security measures than the companies who did not experience a data breach. Of all the companies surveyed, 90% used antivirus software, 82% used an email spam filter, 70% used a firewall, and 82% used a virtual private network. While these are vital and important security features to be using, they do not seem to protect against stolen credentials.
This indicates a “people problem” rather than a security problem. Preventative solutions alone like the ones listed above cannot protect organizations against attacks that aim to steal credentials such as in the case of phishing scams.
In addition to the usual security measures such as antivirus, firewalls, and network monitoring, there are a few ways that a business can protect its credentials from being compromised.
Use two-factor authentication. When employees log in to their accounts on new computers they should have to put in their username and password and then be texted or emailed an additional security code. This ensures that a hacker cannot log in to the account remotely even if he has the employee’s credentials.
Create a written information security policy. This policy basically outlines what users can and can’t do with the business’s technology. It include policies for acceptable use of company technology, authentication (passwords), backing up data, network access, network security, incident response, email, and access to confidential data. Some important but less widely used policies are those for encryption, guest access, mobile devices, remote access, and physical security of data. The policy will also show what a company is currently implementing to prevent cyber attacks. In the event of a data breach, this document might be the only thing that legally protects a company.
Limit who has access to what. A front desk receptionist at a hospital probably doesn’t need to log in and see a patient’s medical history and a doctor doesn’t need to know their insurance information. Some employees will need access to certain data and others will not. It is best to divide up the data so if a hacker gets that receptionist’s login information, he won’t have access to every single megabyte of the hospital’s data.
Make sure users have strong passwords. A strong password is one that has 10-15 characters, uses both lower and uppercase letters, uses numbers, and uses special characters. All employee login credentials must contain a strong password.
Luckily, as credentials become compromised more often, experts are developing new ways to log in including biometric fingerprint scanners, facial recognition, or by scanning the shape of an ear (on a smartphone). The most recent development in biometric technology works by sending a sound through someone’s skull and analyzing the unique frequency that it makes as it travels through. The unique sound could be used to log into an account in the near future.