Password Security and Data Breaches: Why an Aware Workforce Makes for a Secure Organisation

Today, almost every aspect of our lifestyle is connected and integrated through a digital platform - from digital payments to video conferences and now, daily work from home set-ups. As our daily life becomes increasingly more digital, the risk for identity theft and falling victim to data breaches has also heightened.  

In 2020, when the majority of the world was heavily reliant on video conferences, Forbes reported that Zoom was hit by a credential stuffing attack that has compromised 500,000 user accounts. Security researchers have found that the attackers retrieve old databases of passwords sold on dark web markets, which contains databases that are dated as long as 8 years ago i.e. 2013. 

Today, many companies have dedicated and invested significant amounts of resources to enhance their security and protect their confidential data from uninvited attacks. However, a large proportion of organisations remain susceptible to data breaches. According to research by SpyCloud, 74% of employees working for Fortune 1000 telecom companies are reusing passwords across multiple accounts. While many may assume that using a combination of symbols and word capitalisation and alphanumerics in their password will protect them from data breaches, the harsh truth is that: it does not offer sufficient security. The tendency of reusing passwords results in poor password hygiene. Naturally, nobody wants to end up with a complex long list of passwords and so, we reuse them for ease of convenience. However, this practice underscores a weak link in your security posture.

Weak passwords often pose challenges to your organisation as it leads to account takeover (ATO) and credential stuffing attacks – two security threats that often go hand in hand. Identity thefts have always been a concern as it usually leads to a leakage of confidential corporate data, sensitive credentials and more. These attacks can potentially cause significant damage for companies and there is no doubt that we can do more about it by enforcing best practices within the organisation.  

The future of identity theft and the potential for misuse 

The rise of cryptocurrencies has fueled the dark web services as people can now conduct transactions anonymously. With more sophisticated means of anonymous transactions, catching cyber criminals is like a continuous game of cat and mouse. 


In 2020 alone, big brand houses such as Microsoft, Estee Lauder and Twitter have exposed databases that disclosed millions of Personally Identifiable Information (PII) due to unsecured databases. The disclosed information may include customer name, email addresses, sensitive information such as credit card details and more. 

Discovery and Notification


1. Use multi-factor authentication

In today’s threat landscape, passwords alone will not provide enough security for your organisation. Weak passwords are one of the hacker’s top choices of weapon. In fact, According to Watch Guard, 81% of global cyberattacks exploit weak passwords. 

In this case, multi-factor authentication adds an additional layer of security to your organisation as it prevents most cyber criminals from easily gaining an initial foothold into your organisation's confidential database. This could include text or email security codes, a physical security token, biometrics, or security questions.

2. Limit account access attempts

In the event of credential stuffing, bots and other automated approaches are usually adopted to input thousands of credentials. To limit attackers’ ability to do this, your organisation should establish security policies that lock accounts after it reaches a certain number of failed logins. 

3. Alert unrecognised new devices and suspicious logins

An ATO attack often takes place from a new, unrecognised device. To counter this, organisations may use cookies or IP addresses to save approved logins. 

Enforce settings that provide an email or text message alert, when someone tries to log into their account. Strong authentication policies will allow your users to ensure that every login attempt is legitimate. This will allow your organisation to discover any illicit activity and carry out corrective measures.

Alyne’s Approach 

A security-aware workforce is a critical component of a secure organisation. In Alyne, we have dedicated Controls mapped to standards, laws and regulations in data privacy, security and data loss prevention, helping you to follow a best practice approach. We believe that employee awareness is pivotal to the organisation's protection and so we have placed a great emphasis on Alyne's ability to run large-scale Assessments in order to assess maturity and understanding, further enabling you to know where to focus your data protection efforts. 


Alyne’s has a number of out-of-the-box Control Sets that addresses topics such as Data Loss Prevention, Data Protection and Data Privacy in compliance with legal requirements from major global jurisdictions, such as GDPR, UK Privacy Act and more. Alyne's Controls are customisable, allowing your organisation to create the Controls that best suits your organisation’s area of concern. 

 

 

Alyne's highly scalable Assessment templates enable you to regularly assess maturity across your organisation and follow the correct process should a risk event occur. Business leaders can assess their data privacy baseline at scale, analyse deviations in desired maturity, and have a clearer view of where to focus their attention in improving their security measures.



 

In Alyne, risk and compliance managers will also be guided with an intuitive visualisation of expected vs assessed maturity results. Radar Diagram Reports in Alyne help to quickly and easily understand their threat landscape, in the context of the topics that were assessed. More importantly, the Radar Reports offer tangible value by guiding organisations to know where to focus their attention in order to strategically fill in the gap and reach their desired level of security.  

To learn more about how you can protect and enhance your data privacy and online security as you meet the requirements of EU GDPR, UK DPA, USA CCPA guidelines with Alyne's capabilities, contact our team.

PreviousNext
Eunice Cheah

Related Posts

The Path to Building Better Business Practice in Compliance with UK SOX

Press archives over the past decade have demonstrated that many Public Limited Companies in the United Kingdom have either collapsed or made the headlines due to accounting irregularities or some other form of lack of internal control to ensure financial statements are reliable. This article explores the need for UK businesses to anticipate wide-scale adoption of SOX, as they progress down the path to building better businesses.
Read more

The Importance of Diversity & Inclusivity in the Workplace

At Alyne we strongly believe in diversity and inclusivity, as they foster creativity and highlight new perspectives in the workplace; translating into innovative ideas that ultimately benefit the organisation. In the last couple of weeks, many countries and companies across the globe have been celebrating and supporting LGBTQ+ Pride bringing awareness to all that has been accomplished in terms of equality, identity and inclusion, and all that is yet to be done. In this article, we analyse the importance of representation in the workplace and we take you through our rebranding decision for the months of June and July.
Read more

Automating Risk Assessments with Alyne

At Alyne, we are focused on providing cyber, compliance and risk professionals, as well as their clients, with next generation technology, expert knowledge and actionable risk insights, powered by Artificial Intelligence, to seamlessly identify, qualify and quantify their risks. Learn how Alyne’s solution will transform your risk assessment process and generate operational efficiencies, while providing your clients with an optimised, personalised and positive digital experience.
Read more