In 2020, when the majority of the world was heavily reliant on video conferences, Forbes reported that Zoom was hit by a credential stuffing attack that has compromised 500,000 user accounts. Security researchers have found that the attackers retrieve old databases of passwords sold on dark web markets, which contains databases that are dated as long as 8 years ago i.e. 2013.
Today, many companies have dedicated and invested significant amounts of resources to enhance their security and protect their confidential data from uninvited attacks. However, a large proportion of organisations remain susceptible to data breaches. According to research by SpyCloud, 74% of employees working for Fortune 1000 telecom companies are reusing passwords across multiple accounts. While many may assume that using a combination of symbols and word capitalisation and alphanumerics in their password will protect them from data breaches, the harsh truth is that: it does not offer sufficient security. The tendency of reusing passwords results in poor password hygiene. Naturally, nobody wants to end up with a complex long list of passwords and so, we reuse them for ease of convenience. However, this practice underscores a weak link in your security posture.
Weak passwords often pose challenges to your organisation as it leads to account takeover (ATO) and credential stuffing attacks – two security threats that often go hand in hand. Identity thefts have always been a concern as it usually leads to a leakage of confidential corporate data, sensitive credentials and more. These attacks can potentially cause significant damage for companies and there is no doubt that we can do more about it by enforcing best practices within the organisation.
The future of identity theft and the potential for misuse
The rise of cryptocurrencies has fueled the dark web services as people can now conduct transactions anonymously. With more sophisticated means of anonymous transactions, catching cyber criminals is like a continuous game of cat and mouse.
In 2020 alone, big brand houses such as Microsoft, Estee Lauder and Twitter have exposed databases that disclosed millions of Personally Identifiable Information (PII) due to unsecured databases. The disclosed information may include customer name, email addresses, sensitive information such as credit card details and more.
Discovery and Notification
1. Use multi-factor authentication
In today’s threat landscape, passwords alone will not provide enough security for your organisation. Weak passwords are one of the hacker’s top choices of weapon. In fact, According to Watch Guard, 81% of global cyberattacks exploit weak passwords.
In this case, multi-factor authentication adds an additional layer of security to your organisation as it prevents most cyber criminals from easily gaining an initial foothold into your organisation's confidential database. This could include text or email security codes, a physical security token, biometrics, or security questions.
2. Limit account access attempts
In the event of credential stuffing, bots and other automated approaches are usually adopted to input thousands of credentials. To limit attackers’ ability to do this, your organisation should establish security policies that lock accounts after it reaches a certain number of failed logins.
3. Alert unrecognised new devices and suspicious logins
Enforce settings that provide an email or text message alert, when someone tries to log into their account. Strong authentication policies will allow your users to ensure that every login attempt is legitimate. This will allow your organisation to discover any illicit activity and carry out corrective measures.
A security-aware workforce is a critical component of a secure organisation. In Alyne, we have dedicated Controls mapped to standards, laws and regulations in data privacy, security and data loss prevention, helping you to follow a best practice approach. We believe that employee awareness is pivotal to the organisation's protection and so we have placed a great emphasis on Alyne's ability to run large-scale Assessments in order to assess maturity and understanding, further enabling you to know where to focus your data protection efforts.
Alyne’s has a number of out-of-the-box Control Sets that addresses topics such as Data Loss Prevention, Data Protection and Data Privacy in compliance with legal requirements from major global jurisdictions, such as GDPR, UK Privacy Act and more. Alyne's Controls are customisable, allowing your organisation to create the Controls that best suits your organisation’s area of concern.
Alyne's highly scalable Assessment templates enable you to regularly assess maturity across your organisation and follow the correct process should a risk event occur. Business leaders can assess their data privacy baseline at scale, analyse deviations in desired maturity, and have a clearer view of where to focus their attention in improving their security measures.
In Alyne, risk and compliance managers will also be guided with an intuitive visualisation of expected vs assessed maturity results. Radar Diagram Reports in Alyne help to quickly and easily understand their threat landscape, in the context of the topics that were assessed. More importantly, the Radar Reports offer tangible value by guiding organisations to know where to focus their attention in order to strategically fill in the gap and reach their desired level of security.