The hyper connected world we live in means that everything about our lives and habits are out there. The recent MyFitnessPal breach once again shows you that nothing is safe. This breach affected 150 Million accounts. Let us let this sink in for a second – 150 Million around the world.
So how does this affect you and your business you may ask?
Simple, the vast majority of people on this planet use the same password for all applications and logins, most never change them. If not the same password they will use something very close. For example, a password such as: JohnMc1 will be given iterations such as:
JohnMc2 - JohnMc1# - J0hnMc! - J@hnMc3, etc
Cyber attackers know this is human behaviour and using information gained from a public breach means that they can rapidly break open any account that is associated with that individual. This means email, webmail, corporate logins and everything else.
1 breach and everything is breached
Jumping back to the MyFitnessPal breach (or any breach for that matter), your users are affected even if they have not used the app for ages and registered years ago. Using the information gained from a breach the cyber attacker simply uses the information and can gain access to everything. Our CSC team has identified and stopped several of these in recent times. Our team identified and stopped a massive internal data leakage working with this exact modus operandi.
Still not convinced?
So let’s think about a few things for a second:
- Do you users have access to business systems with sensitive information?
- Do they have access to personal records or financial information?
- Do they receive one time pins, passwords, etc to these various accounts?
- Do they work with customer pricing, tenders or the like?
I hope your mind is working and seeing some of the possibilities now.
Using this information to commit cyber-crime is easy and all I need is patience. If you don’t have visibility you would not even know that I am there.
The cyber-criminal has all the time in the world, with un-monitored access they just need to wait for the right piece of juicy information to appear. Perhaps it is mention of a large cash drop off, routes for delivery vans, customer pricing for a tender, credit card information or your customer invoices to intercept and have bank details changed.
It is imperative that you gain visibility and enforce a password policy with automation. Password polices must be strictly enforced and user accounts must be monitored for breaches and automatic remediation.
You cannot allow passwords to be similar to previous iterations and the forced password change needs to be regular and even immediate on accounts affected by breaches.
We will help you gain this visibility and keep your people and information protected – even in the event of a breach. Visibility, automation and intelligence allows you to respond.
Password policies may not be popular and executives may not like it – but in all honesty your password policy is not a popularity contest. In order to stay secure we cannot allow emotions and feelings to prevent us from staying cyber secure.
We cannot worry about feelings, #letsgetreal
John Mc Loughlin