Setting protections around business operations is always a good idea. But those protections don’t mean anything if someone gets your credentials.
Business owners and executives often rely heavily on their IT leaders and InfoSec personnel to secure business information. While the majority of this does fall under the IT umbrella, it is important to remember that security practices are the responsibility of every single employee. The IT department can put protections in place all day long, but those protections only work when everyone practices good cyber-hygiene, including the use of strong passwords and 2FA.
In the past, we’ve talked about the importance of passwords and that using a password manager is generally a safe practice. We’ve also discussed the various ways to implement two-factor authentication. These discussions didn’t happen just because we think they’re a good idea. These discussions happened because these are incredibly important pieces of security.
To review, strong passwords are important because people are easier to hack than machines. If someone can spend a few weeks getting to know you, they may be able to simply guess your password. By using a phrase that has nothing to do with you and is at least 24 characters is one of the top ways to stop a hacker. The programs they use to decipher passwords take longer to work when passwords are longer because there are exponentially more combinations. Capitals and symbols aren’t as important as the length. Example of a good password: theskyispinkinthemonthofnovember (32 characters, unrelated to anything)
2FA can be implemented in a few ways: have a text sent with a code, FOB/RSA tokens and hardware keys (Yubikeys). When you log in to a system with your username and password, it will prompt you for the second piece before you can get in. This adds a layer of security, especially when you use a token or Yubikey, because it is unlikely that an attacker is going to have access to both pieces. It’s not infallible, but it makes systems more secure.
Now, to show what can happen when security protections are in place but there’s an easy password and no 2FA employed, please take a look at President Donald Trump’s Twitter account. Several sources are citing a security researcher out of the Netherlands who claims to have guessed Trump’s password (maga2020!) and gained access to his account because he (or his people) did not set up 2FA. Imagine the damage that could be done on a global scale with access to that account! President Trump’s tweets are monitored by every country. Global stock markets rise and fall based on what he says. Not to mention, if his password is that easy to guess for Twitter, can we really be certain he is using proper security methods on more sensitive accounts?
The White House and Twitter both deny these allegations, so it is unclear at this time whether this is true or not. But this is a perfect example of why strong passwords and 2FA are so important. The fact that the researchers claim is being reported demonstrates just how plausible the scenario is whether its true or not. Twitter says that Trump’s account has extra protections around it, similar to other notable government officials. But those protections don’t matter if someone gets ahold of his credentials.
The same applies in business. If your IT department has all of the proper security measures in place, but an employee is fooled by a phishing scheme or has their credentials stolen, then someone can get in. Having a strong password will make it harder for a bad actor to guess it or run a cracking program against it. Utilizing 2FA is another layer of security should those credentials become compromised, at least alerting a person that someone is using their information. Once they get that notification, the employee can immediately contact their IT team to let them know and then change that password right away.
If you do not currently enforce strong passwords and 2FA, now is the time to implement them. Credentials are literally the key to the kingdom. They should be treated as such and given the highest security to prevent a front door attack. If you’re not sure how to set these protocols in place, please consult an expert! There are many companies out there which can help ensure the security of your sensitive information. This isn’t something to take lightly, this is of the utmost importance. The success of your business depends on it!