If you’re an IT pro, you’re likely aware of the very real damage that can result from even one user’s credentials being compromised. Once attackers have a foothold in your systems, they can linger for months, steadily increasing their permissions until they find and steal your most valuable data. Many organizations are already working to strengthen their security posture for preventing the misuse of stolen credentials. But one very real risk is typically overlooked: the social and personal credentials of our end users.
Why is this a risk? I’m sure you know first-hand about password fatigue — everyone these days is overwhelmed with the task of remembering and managing passwords. To make things easier, we take shortcuts: we choose weak or easy-to-remember (and therefore easy-to-guess!) passwords, and we also reuse credentials across sites. You can bet that at least some of your users are signing up for personal sites using their work credentials or user IDs. And the reverse is even more common — some users are almost certainly using the same passwords they use for their personal sites to access corporate resources.
Who would do this? More people than you might think. Remember the Ashley Madison hack back in August of 2015? As time.com reported, many people used their .gov and .mil email addresses to sign up for this rather salacious website. Password reuse is likely even more common; check out the study on Consumer Password Habits, the Consumer Account Security Report, and this article on Mashable on password reuse.
In short, it’s very likely that some of your users are using their work email or username to sign up for non-work services, and some are using the same passwords at work as they use their personal websites. And those actions put your corporate resources at risk.
With the number of data breaches increasing year over year (see the Verizon 2017 Data Breach Investigation Report) what can you do to help reduce the risk presented by password and user ID reuse? Here are several best practices that really help.
Invest in adaptive authentication
While we know that two-factor authentication helps mitigate credential theft and raise the security level of authentication, we also know that it is no longer enough alone for truly secure authentication. SecureAuth, an industry leader in adaptive authentication, offers a multi-layered approach to pre-authentication risk analysis. Like layers of a bulletproof vest, our adaptive authentication looks at multiple factors, from device recognition to SecureAuth Threat Services, to determine the legitimacy of every login attempt — even when the user has the correct credentials. This “defense in depth” approach helps thwart attacks and prevent breaches. And SecureAuth mitigates the risk of misuse of compromised credentials without impacting usability because we require multi-factor authentication only when risk is high.
Read more on SecureAuth’s adaptive authentication.
Hold regular user training & education sessions
It may seem a bit cliché, but I can’t overstate the value of being in front of your end users on a regular basis and reminding them about best practices around passwords and access. While ignorance on the part of the end user is not an excuse for a data breach, we, as security professionals, should do everything in our power to educate our end users about the impact their decisions about how they use their credentials can have on the business.
There are a number of training tool kits and companies that offer training services. But even common-sense training from a security professional does wonders to keep best practices concerning credentials in the front of everyone’s minds.
If you have external consumers or customers who log on, it’s also useful to educate them. Being verbose in your login prompts may not be a bad thing! While you don’t want to give bad actors too much information about your login security, you do want to educate your consumers about what's going on as they authenticate. Doing so can not only reduce your support burden but also boost your brand for being so security minded.
Unfortunately, we tend to find out about data breaches well after they happen. While many companies would prefer to keep these breaches quiet, IT security pros need to be informed about the latest breaches — not just the methods that were used and the impact to the affected company’s business, but the data that was leaked in the breach. So keep an eye out for what’s happening at other organizations and share when you can to help build a stronger and more effective IT security community.
SecureAuth helps prevent the misuse of stolen credentials. To learn more, contact us today!