Is your password policy leaving your business vulnerable?
by Jon Budzynski - Wed 02 Nov 2022Ensuring your company data is robustly protected is vital in the current business environment. Cyber and ransomware attacks are becoming increasingly common and can have devastating consequences. Many companies spend thousands on expensive defence solutions and new shiny technology, but it's all in vain if your password policy is weak.
As large corporations have started to realise where their cyber weaknesses lie, they have started to introduce robust password policies. This includes introducing minimum password lengths, requiring a mix of character types, and 'lock-outs' for successive unsuccessful attempts. This makes their systems far more difficult to penetrate, however this has an impact on smaller businesses and organisations as the gaze of cyber criminals is turned to easier targets!
There has been a significant rise in cyber-attacks on SMEs over recent years as their cyber security policies are often weak or non-existent. Hackers, who have increasing trouble getting through the barriers of larger corporations are turning their focus onto easier and smaller targets, which is proving a far more lucrative plan as they can gain access to systems quicker, can extract or damage data, or even make ransom demands.
Subsequently, our advice to SMEs is to follow the guidelines set out in the Cyber Essentials framework:
- The use and implementation of Multi-Factor Authentication (MFA) where possible.
- Throttling the rate of unsuccessful attempts.
- Locking of accounts after no more than 10 unsuccessful attempts.
- Using a password of at least 8 characters, with no maximum length restrictions in instances where multi-factor authentication is used.
- A minimum password length of at least 12 characters where multi-factor authentication cannot be used.
- A maximum of 90 days between password changes.
- Previously used passwords cannot be used reused.
When we implement MFA and stricter password policies with our new clients, there is often resistance. Business owners don’t want to make work harder for their employees or themselves and the additional security seems unnecessary and unduly onerous. The mindset is often they are too small to be a target for hackers or have a ‘it-will-never-happen-to-me’ attitude.
The best thing to assume is that everyone is a target, and that if you don’t take security measures you will be hacked. This mindset helps you take the necessary actions to protect your IT systems. We recently spoke to a local accountancy firm (NOT one of our clients!) that had fallen victim to a cyber-attack and 3 weeks after the incident they still did not have their emails back online!
However, larger FTSE 100 companies don’t always get it right… Recently hackers told the BBC they carried out a destructive cyber-attack against Holiday Inn owner Intercontinental Hotels Group (IHG) “for fun”. They accessed the FTSE 100 firm’s database thanks to an easily found and weak password… Qwerty1234. (If you’re using this password, change it now! You can also check the 10,000 most common passwords via this Wikipedia page)
The hackers went on to say… "Our attack was originally planned to be a ransomware but the company's IT team kept isolating servers before we had a chance to deploy it, so we thought to have some funny [sic]. We did a wiper attack instead," one of the hackers said. ”A wiper attack is a form of cyber-attack that irreversibly destroys data, documents and files."
You can read more about this story on the BBC website, but it is a stark reminder to ensure you have a robust password policy in place, because if it can happen to Holiday Inn, it can happen to you.
So, jump on that weak password policy TODAY… STOP using anything mentioned in the Wikipedia link above! Yes, your employees (and you!) will complain a bit, but the protection of your company data, and in particular your GDPR responsibilities, are more important than a few disgruntled employees. If you need any help or advice, please feel free to contact us - 01935 411319 or email: info@markone.co.uk