Here at Ping, we're constantly thinking about how to better secure the enterprise through identity and access management (IAM). We can all agree that IAM is a critical part of any enterprise's defenses, but responsibility for security doesn't stop at the boundaries of the IT department, nor does it rest solely in the hands of those professionals with "security" in their title.
An organization is only as secure as its weakest link, and that weak link is most often a careless employee. They tend to be the easiest way to get past an organization's defenses, and their sheer numbers make them an obvious target. So even if IT has deployed the most sophisticated software, every person still needs to understand the most common threats, counteract risky behavior and foster a sense of shared responsibility to keep the enterprise safe.
Dangerous Password Practices
Passwords are a particularly vulnerable point for organizations: According to Verizon, 81% of hacking-related breaches last year leveraged stolen and/or weak passwords. There are certain things that an IT department can do to reduce this risk, such as setting requirements based on password best practices, never using default passwords, or implementing single sign-on (SSO), but it's not always possible or practical to put controls on the behavior of employees.
It's up to everyone to help stamp out dangerous password practices. Here are three of the most common to watch out for:
Weak passwords: Weak passwords may be easier to remember, but they're also easy to guess or crack. The new NIST guidelines state that passwords that are long, but simple and memorable, tend to be more secure, even without adding those special characters. A random sentence, or several random words strung together would do nicely.
Password re-use: If your company doesn't have a single sign-on solution, it can be tempting to use the same password across multiple applications. But if a hacker gains access to one application, they get access to them all. Not good! Password managers can help with handling multiple passwords, or choosing multiple memorable passphrases.
Password sharing: Password sharing can seem like a harmless way to share information or handle an employee's absence more conveniently, but can be a big risk. The more people who know the password, the more likely it is to be guessed, stolen or hacked. It also makes it much harder to change it. Find ways to provide legitimate access to those who need it, or set up a workaround, like auto-forwarding emails during vacation.
One of the best ways to secure your account, even if your password is compromised, is through the use of multi-factor authentication (MFA), which requires two factors to verify a user's identity. This protection is especially valuable for the protection of privileged accounts, which provide access to more data, more systems and may even allow users to move throughout the network.
Common Cyber Attacks
Even the most secure password can be stolen or bypassed by a clever hacker. This is where the real work comes in for employees. It's hard to constantly stay vigilant and informed when you just want to do your job, but it's key to preventing what could be a big data breach.
Phishing is a common type of social engineering that happens over email, in which a hacker will try to manipulate or trick the recipient into revealing confidential information or performing a certain action that will compromise their account. Sophisticated attacks can be hard to spot, especially ahead of time, but there are a number of tells that can help employees spot suspicious emails, including names, emails or links that are incorrect or don't match, spelling mistakes, and urgent or intimidating messages.
Unsecured wireless connections can also be doorways for hackers, as well as malware downloaded from unfamiliar sites or lurking on external devices. Installing only authorized programs on work devices, performing regular security scans, and the use of secure WiFi or VPN connections can all help to bolster your organization's defenses. Above all, encourage employees to report anything that seems suspicious. A false alarm is preferred over a compromised account!
Security is a Shared Responsibility
The IT department certainly has a lot to do to keep an organization secure. They need to deploy the right security solutions, stay up to date with all software updates and patches, properly deprovision users, monitor for hacking attempts, and much more. But every employee must share the responsibility of creating a culture of security and vigilance in the workplace.
When each employee understands the common attacks and follows security best practices, they become strong links in your defense against cyber threats. And combining all their efforts with modern identity and access management solutions like SSO and MFA will ensure that your organization stays safe and secure.