Password Security and Data Breaches: Why an Aware Workforce Makes for a Secure Organisation

Today, almost every aspect of our lifestyle is connected and integrated through a digital platform - from digital payments to video conferences and now, daily work from home set-ups. As our daily life becomes increasingly more digital, the risk for identity theft and falling victim to data breaches has also heightened.  

In 2020, when the majority of the world was heavily reliant on video conferences, Forbes reported that Zoom was hit by a credential stuffing attack that has compromised 500,000 user accounts. Security researchers have found that the attackers retrieve old databases of passwords sold on dark web markets, which contains databases that are dated as long as 8 years ago i.e. 2013. 

Today, many companies have dedicated and invested significant amounts of resources to enhance their security and protect their confidential data from uninvited attacks. However, a large proportion of organisations remain susceptible to data breaches. According to research by SpyCloud, 74% of employees working for Fortune 1000 telecom companies are reusing passwords across multiple accounts. While many may assume that using a combination of symbols and word capitalisation and alphanumerics in their password will protect them from data breaches, the harsh truth is that: it does not offer sufficient security. The tendency of reusing passwords results in poor password hygiene. Naturally, nobody wants to end up with a complex long list of passwords and so, we reuse them for ease of convenience. However, this practice underscores a weak link in your security posture.

Weak passwords often pose challenges to your organisation as it leads to account takeover (ATO) and credential stuffing attacks – two security threats that often go hand in hand. Identity thefts have always been a concern as it usually leads to a leakage of confidential corporate data, sensitive credentials and more. These attacks can potentially cause significant damage for companies and there is no doubt that we can do more about it by enforcing best practices within the organisation.  

The future of identity theft and the potential for misuse 

The rise of cryptocurrencies has fueled the dark web services as people can now conduct transactions anonymously. With more sophisticated means of anonymous transactions, catching cyber criminals is like a continuous game of cat and mouse. 


In 2020 alone, big brand houses such as Microsoft, Estee Lauder and Twitter have exposed databases that disclosed millions of Personally Identifiable Information (PII) due to unsecured databases. The disclosed information may include customer name, email addresses, sensitive information such as credit card details and more. 

Discovery and Notification


1. Use multi-factor authentication

In today’s threat landscape, passwords alone will not provide enough security for your organisation. Weak passwords are one of the hacker’s top choices of weapon. In fact, According to Watch Guard, 81% of global cyberattacks exploit weak passwords. 

In this case, multi-factor authentication adds an additional layer of security to your organisation as it prevents most cyber criminals from easily gaining an initial foothold into your organisation's confidential database. This could include text or email security codes, a physical security token, biometrics, or security questions.

2. Limit account access attempts

In the event of credential stuffing, bots and other automated approaches are usually adopted to input thousands of credentials. To limit attackers’ ability to do this, your organisation should establish security policies that lock accounts after it reaches a certain number of failed logins. 

3. Alert unrecognised new devices and suspicious logins

An ATO attack often takes place from a new, unrecognised device. To counter this, organisations may use cookies or IP addresses to save approved logins. 

Enforce settings that provide an email or text message alert, when someone tries to log into their account. Strong authentication policies will allow your users to ensure that every login attempt is legitimate. This will allow your organisation to discover any illicit activity and carry out corrective measures.

Alyne’s Approach 

A security-aware workforce is a critial component of a secure organisation. In Alyne, we have dedicated Controls mapped to standards, laws and regulations in data privacy, security and data loss prevention, helping you to follow a best practice approach. We believe that employee awareness is pivitol to the organisation's protection and so we have placed a great emphasis on Alyne's ability to run large-scale Assessments in order to asses maturity and understanding, further enabling you to know where to focus your data protection efforts. 


Alyne’s has a number of out-of-the-box Control Sets that addresses topics such as Data Loss Prevention, Data Protection and Data Privacy in compliance with legal requirements from major global jurisdictions, such as GDPR, UK Privacy Act and more. Alyne's Controls are customisable, allowing your organisation to create the Controls that best suits your organisation’s area of concern. 

 

 

Alyne's highly scalable Assessment templates enable you to regularly assess maturity across your organisation and follow the correct process should a risk event occur. Business leaders can assess their data privacy baseline at scale, analyse deviations in desired maturity, and have a clearer view of where to focus their attention in improving their security measures.



 

In Alyne, risk and compliance managers will also be guided with an intuitive visualisation of expected vs assessed maturity results. Radar Diagram Reports in Alyne help to quickly and easily understand their threat landscape, in the context of the topics that were assessed. More importantly, the Radar Reports offer tangible value by guiding organisations to know where to focus their attention in order to strategically fill in the gap and reach their desired level of security.  

To learn more about how you can protect and enhance your data privacy and online security as you meet the requirements of EU GDPR, UK DPA, USA CCPA guidelines with Alyne's capabilities, contact our team.

ZurückWeiter
Eunice Cheah

Related Posts

Blog thumbnail

IT Vendor Management - Zentrales Management und Risikosteuerung

Im Zuge von Digitalisierung, Automatisierung und Kostenreduzierung werden IT-Dienstleistungen ausgelagert. Daraus erwächst die Frage: Wie können Lieferanten und einhergehende Lieferantenrisiken angemessen gesteuert werden? Dieser Artikel befasst sich mit den Verpflichtungen, denen Organisationen beim Management von Dienstleistern Dienstleistungen gegenüberstehen. Und den Funktionalitäten mittels derer Vendormanagement-Prozesse in Alyne transparenter, kollaborativer und effizienter gestaltet werden können - alles innerhalb einer Plattform.
Blog thumbnail

Alyne RegTech Partnerships - Lessons Learned to Take into 2021

Alyne's Partnership program has developed significantly over the course of the last few years. 2020 proved to be a successful testing and learning experience for Alyne and our partners. It was a year for sense-checking and putting in place structure and strategy for our partnerships that can scale with Alyne and our ambitious global growth plans for 2021 and beyond.
Blog thumbnail

Meaningful Risk Insight for Sustainable Business Growth

In our preparation for 2021, we reflected back on conversations that we'd had in the market, analysed industry trends, discussed pain points and more. We asked ourselves, what new challenges are organisations facing that were maybe not there before? Where does Alyne's product capabilities have the best natural fit in all of this? On a high level, learn more about some of the factors that led us to define our theme for the year: Meaningful Risk Insight for Sustainable Business Growth.