Share this guide:
For many people, the thought of cybersecurity and cyberattacks conjures up scenes from movies like ‘Hackers.’’ When those movies were made the internet was still in its infancy and much less of our world depended on it.
Today, it is a very different situation.
Before the coronavirus pandemic pushed us even more online as we try to social distance, much of our daily lives are run and/or facilitated via digital solutions on the internet.
In our personal lives, this involves all the apps and websites we use on our various devices. In our professional lives, this involves the digital solutions your organisation uses to collaborate with each other, engage with customers, and do business with other companies.
In our highly networked society, your daily business activities may not put you behind a computer, but invariably in the 2020s and beyond, your business is relying on digital solutions to operate. These could be as commonplace as online banking and payment services, or more complex solutions like customer databases, inventory management and supply chain systems. If they are connected to the internet, they are under threat.
Just as much as these digital solutions provide an advantage, they also carry with them risks that need to be understood. Those risks are the chance that some unauthorised person or group could access those digital solutions, and use them to harm your organisation or your customers. We can all agree, this is unacceptable.
In this series of articles and their accompanying videos, we will provide resources and best practices to help your organisation train its staff on creating cybersecurity awareness. You might be asking, “why train my staff and not purchase some fancy, AI-powered hacker busting super system?”
Let’s find out why.
Table of Contents
Section 1: Why Cybersecurity Awareness Training is Necessary
You can’t operate your business without employees, making them indispensable. But because they interact with your systems on a daily basis and they have varying levels of technical literacy, they also represent the greatest threat to your security.
And oftentimes they aren’t even aware of it.
The “People” ProblemYou could spend so much time and effort on getting the right technology in place and setting up an expensive security department, only for your employees to be the entry point for cybercriminals. Some employees choose easy to remember passwords that are less secure. Some employees use the same password across multiple accounts. It makes remembering the passwords easier but it also makes it possible that a hacked account (a marketing tool for example) could give access to a more critical business system. Without being aware of what to look for, even your email inbox could be a minefield. Some employees are more easily fooled than others, which is why phishing scams work so well and are the main method cybercriminals use to gain access.
Before we move on to the first section of our cybersecurity awareness training on password security, I want to take a moment to impress upon you the necessity for this with some facts and figures.
Cybersecurity Facts and Figures
According to Verizon’s Data Breach Investigations 2019 report, 81% of all data breaches were caused by “weak passwords” being compromised . In the last few years cyberattacks have not been so much about directly stealing money or selling off valuable data, they’ve mostly been about holding data and systems ransom.
Why? Because it’s a quick payout using cryptocurrency.
The average ransom demand in 2020, is $178,000 , but for small businesses, the average is only $5,900 . Don’t think this difference is out of the kindness of that attacker’s hearts, this what they think they can get away with.
Weak passwords and phishing attacks have been instrumental in doing their part in allowing cybercriminals access to these systems. Unfortunately, because this method is very effective, it has gained in popularity resulting in there being a lot of automated tools out there for cybercriminals to choose from. Performing a ransomware attack does not necessarily require a high level of skill, and so it attracts low-skilled opportunistic groups and “script kiddies.” Some ransomware kits go for a low as $50 .
The three most common ways of ransomware being implemented are via ransomware emails (phishing emails), software vulnerabilities and server weakness exploits . In phishing emails, attackers will often attach a file infected with ransomware. Annoyingly the most common infected file formats are also very commonly used .DOC and .DOT extensions for Microsoft Word documents.
Increasing cybersecurity awareness is not only about protecting your money and intellectual property, but 2020 also became the first year that someone died from a cyberattack , and it was due to a ransomware attack.
If you aren’t training your staff then you are missing a huge opportunity to boost your security. Understandably, not every organisation has the time, money, or resources to invest in creating a cybersecurity awareness training program from scratch. It’s with this in mind that we’ve created this series of articles and videos for you to use. Whether it’s using this information to support you in creating your own training program or directly sending these videos or presentations to your staff, what matters most to us is that you take action to protect your business from cybercriminals.
Section 2: Password Best Practices
Passwords are the digital equivalent of the keys to the castle. With a key, you get trusted access; without a key, you don’t. Simple, right?
In principle, it’s a straightforward idea, but good password usage requires management to ensure that the security it provides is not a false sense of security. Unlike actual castle keys, organisations and individuals need to keep track of many more passwords than you would think. To make matters worse, not everyone treats their passwords with the same level of respect they deserve, as we will soon explore.
The average person needs to remember approximately 100 passwords . This isn’t easy, considering most people these days can’t even remember the phone numbers of their loved ones. Remembering so many passwords for so many accounts is difficult, so what most people end up doing is using only a few passwords (with slight variations on them) that are easy to remember.
Unfortunately, this preference for ease of use comes at the sacrifice of security.
- Password 1
…is much easier than remembering this…
In isolation, a hacker getting access to one employee’s Facebook or Amazon account is of no concern to the employer. However, keeping in mind our need to use easily remembered passwords, there is a chance that that employee could be using the same or similar password for the organisation’s payroll account, for example. If a cybercriminal can make this jump from hacking a private account to a business account, the results could be disastrous for the organisation.
If we look back at the 15 biggest data breaches in this century (the last 21 years at the time of writing this), 3.5 billion users had their data stolen in just the top two of those 15 data breaches . It’s worth checking this list out as some very well-known brands, and most people use services.
You can’t control what staff do outside of office hours but can do several things to help protect your business from cybercrime. Humans are often the weakest link when it comes to security, so they need to be trained.
- Invest in training your staff with cybersecurity awareness training.
- Create and implement a good password policy.
- Use technology to support your staff, i.e. password managers.
Understanding credential stuffing and brute-force attacks
The reason why people can’t get away with using the same passwords (or slight variations of them) across their roughly 100 different user accounts is because of techniques cybercriminals use called credential stuffing and brute-forcing.
In credential stuffing, cybercriminals will purchase lists of stolen log-in credentials (usernames and passwords), which are then used via large-scale automated login requests to try to gain access to various websites or services. The automated tools are also sophisticated enough to use the most popular passwords and make slight variations on passwords.
For example, if you use the email address “firstname.lastname@example.org” and password “qwerty123” for LinkedIn, Microsoft, and Google, then you are in trouble. A few years ago, LinkedIn was hacked, and several million users’ email addresses and passwords were stolen. Any account where you used the same email address and password – Microsoft and Google – is now at risk of being compromised.
A brute-force attack is similar to credential stuffing in that log-in attempts are automated, but in this attack, the hackers don’t have any known passwords to base their attempts on. In other words, they try to guess credentials by using random strings and commonly used passwords.
Cybercriminals are clever and know that by automating the login process, they can gain access to important systems with relatively little effort. Their success is due to our failures at using passwords correctly.
You know now the important reasons why passwords should be considered almost holy, but how do you know if your credentials or that of your organisation’s staff have already been compromised?
Have you been compromised?
Fortunately, some websites can provide you with an idea of whether your log-in credentials have been compromised in past data breaches. This information is gathered from publicly available databases of breached credentials. Or in other words, cybercriminals already have access to them.
It might be helpful for system administrators to run the company email addresses of higher-ranking staff and those with access to critical systems through these lists. Also, when training your staff on a good password policy, ask them to check for their email accounts in these lists. The results might be a wake-up call for them to improve their passwords.
“Have I Been Pwnd?” checks to see if the submitted email address shows up on the lists in their database and explains where the data came from and what information it contains. These could be passwords, email addresses, usernames, geographic location, and phone numbers.
Scatter Secrets requires the set up of an account because it shows the affected email address and the passwords for that email address. It’s pretty freaky seeing your super-secret passwords shown like this, but that shock encourages people to adopt better password practices.
Avoid common passwords
Our need to easily remember passwords has manifested in some curious ways, one being that every language has a list of the most common passwords for that language. Oftentimes these are expressions, keyboard combinations, or sports teams.
Some of the most common passwords around the (English-speaking) world are:
The use of these common passwords puts you and your organisation at risk of a brute force attack. As mentioned before, a brute-force attack basically involves guessing passwords, so the more complex a password is, the harder and longer it takes for them to be guessed or brute-forced.
According to the image below, brute-forcing a password that is only 6 characters long and only uses lower case letters will be near-instantaneous. A 15 character password with a combination of upper and lower case letters will take 43 million years.
The lesson is clear, “complexity is king” when it comes to passwords.
Developing a good password policy will help organisations ensure that the risks of them being compromised by a brute force attack are minimized. This also helps isolate the business passwords from the user’s private passwords, further reducing the risk of credential stuffing. Creating a password policy is done by placing certain standards on what a good and acceptable password is.
What makes a good password?
Passwords are the first line of defence against unauthorized access by cybercriminals. The stronger the password, the harder it will be for them to gain access through brute-force attacks. Since we can’t expect staff members to create strong and unique passwords themselves, organisations need to adopt password policies that ensure that these best practices around password security are enforced.
Good passwords should contain:
- Letters (upper and lower case)
- 10 characters or more
Strong passwords should utilize a combination of symbols, numbers, and upper- and lower-case letters. As we showed in the previous section, the complexity and length of a password make it extremely difficult to guess.
It is also a best practice to enforce that passwords that meet policy requirements should not contain any personal information, specifically, the user’s real name, username, or company name.
Along with enforcing complexity to make passwords difficult to guess is also enforcing password length. Passwords should be at least more than 8 characters long. Between 10 and 12 characters is a sweet spot for ease of use and security.
Restrict Reuse and a Blocklist
Despite being trained on password security practices, people will still want to reuse the same passwords to make their lives easier. A great way to prevent old passwords from being reused is to set minimums for reuse. Such as, the previous 5 passwords are not allowed for reuse.
If possible, administrators should also adopt a blocklist that blocks users from choosing the most common passwords. No more ‘Password123’.
Minimum and Maximum Age Limits
Setting up limits on minimum password age prevents employees from temporarily changing a password and then switching back to a familiar one. To prevent this issue, you should require passwords to be held for 3 to 7 days before they can be changed. However, the IT support team should be able to change passwords regardless of age.
Setting a maximum age limit of anywhere from 90 days to 180 days is advisable as it reduces the possibility that the password has been compromised. It is annoying to your staff to deal with this, but it will be less frustrating and much more secure if you provide them with tools for managing their passwords.
Restricting reuse and enforcing minimum and maximum age limits are policies that are difficult to implement and manage without a dedicated IT person in your organisation. If that is the case, then some of the other best practices will be easier to implement and still improve your overall security.
A good password policy is worth nothing if employees aren’t being trained on it. Once a policy is adopted, all staff should be trained on the policy. The password policy should also be folded into the onboarding process for new hires.
By this point, it’s pretty clear that a strong password policy comes at the cost of making authorised log-in a little more difficult. One way to lessen the burden on employees to remember many unique passwords is to use a password manager. We will talk about password managers in more detail a little later.
Passphrases over Passwords
Using a passphrase is more secure because it can be longer in length while still being easy to remember because they aren’t a random string of letters, numbers, and symbols. A passphrase like ‘5BrownMonkeysEat3YellowBananas!’ is more secure than ‘P@s5W0rd!’ while being relatively easier to remember.
Passphrases should be used by system administrator accounts and other accounts that require extra protection.
We’ve hinted at password managers throughout this guide quite a bit, and now we are going to explain why this is one of the best tools you can provide staff. First, we will explain why it is such a powerful tool, and then we will explain more about password managers in general.
As mentioned earlier, the whole problem with leaving employees to manage their own passwords is that they will choose ease over security. Password managers bypass this issue by allowing users to store their passwords securely and use them very easily. This means that users can have the ease of use they want – in many cases, it is much easier than entering passwords manually – and use unique and complex passwords.
What do password managers do?
There are many password managers out there, Dashlane, 1Pass, LastPass, and NordPass, to name a few. They all work fairly similarly, so we will talk about our experiences with LastPass when explaining the benefits of using a password manager.
In the simplest explanation, a password manager acts like a vault where usernames and passwords are stored. One master password is used to access this vault from your various devices (computers, phones, and tablets) via an app or browser extension. The well-known password managers also have high levels of data encryption and good security practices to keep your passwords safe.
Much better than writing them on a post-it note!
Auto-fill and updating
Password managers are sophisticated enough to tell what website you are on or what application you are using and suggest auto-filling in the appropriate username and password.
When you create a new account or update the credentials of an existing account, the manager will ask you if you would like to update your vault information for that account. Most password managers also provide a password generator to help you create strong (long and complex) passwords. This helps you follow password best practices going forward.
If you are using a website or apps where either the password manager does not recognise that you have an account there or don’t want to log in to your password manager vault, you can find the password on your mobile phone to manually enter it. For example, if you are using a public computer, you probably won’t want to download the password manager and log into it on the computer.
Some password managers, like LastPass, have password auditing tools and wizards (a small tutorial program) that help you easily check your security level and change passwords. As many people use the same passwords repeatedly, it is worth giving this password changing wizard a try. It, along with the password generator, can help you easily change the passwords of your most important accounts.
As you can see, a password manager makes managing all passwords incredibly easy while also facilitating a high level of security by using strong, unique passwords. You can provide your staff with access to the password manager for them to use while working at a business level. It’s good for business security, and it’s good for staff sanity.
Multi-Factor Authentication (MFA or 2FA)
Multi-Factor Authentication (MFA) or Two Factor Authentication (2FA) is a security precaution that you have likely already some experience using. When logging into an app or website, it sends an authentication code to you via email, push notification, or text message that you need to input into the app or website to gain access.
This authentication process is more secure because it requires another step tied to a device or contact method linked to the same user. This means that if a password is compromised and used by someone else, they probably won’t also have access to that device or contact method.
You should activate multi-factor authentication for the business tools and services your organization uses. This adds another layer of security to your activities that should be used in combination with good password policies and using password managers. MFA can be set up, so it simply sends a text message to your phone or requires the use of some authentication app like the free Google Authenticator.
If there is only one thing you take from this guide on cybersecurity awareness and this particular section on password, you should use MFA for your accounts.
Below you can find buttons to download the presentation for your own use or a video of our presentation.
Cybersecurity Awareness Training Video: Session 1