A huge 97% of large organizations have suffered a leak of crucial corporate login credentials, according to recent research. 97 %! Across the world’s largest 1,000 organizations, there were 5 million leaked credentials – an average of 706 per organization.
How were these credentials leaked? The majority were stolen via LinkedIn and Adobe – two services that people are likely to sign up to using their work email addresses and related passwords. This underlines how sophisticated cybercriminals may target third parties in an attempt to secure a route into large enterprises. As a result, if one of your staff members uses their work login details to register for a third party service, then your security is to a large extent dependent on that third party’s security. Did we mention 97 %?
It’s a worrying thought. Robustly protecting your own perimeter isn’t enough. If a single legitimate username and password combination falls into criminal hands, then that criminal can walk directly into your network, unnoticed.
As the survey results also points out, simply resetting your corporate passwords in the event of a breach is not a sensible mitigation strategy. Firstly, because company-wide password resets can be costly and complex to implement, and secondly, because you are then relying on very early knowledge of the relevant data breach. What if the linked third party hasn’t identified or fully investigated the breach yet? You might have days or weeks to wait.
To solve this challenge, we need to shift focus back on the credentials themselves, and admit that traditional username or email address/password logins are, in many cases, no longer fit for purpose.
As we all know, there is a big difference between a complex password that is changed every three months, and using ‘Password123’ across multiple different user accounts. The former is far stronger. Yet, in the event of compromised credentials, both are equally insecure – at least until that three month period is up.
The solution, then, is to move towards a more context-specific form of credentials – something that cannot be replicated by a cybercriminal who has access to a list of username/password combinations. The solution is two factor or multi factor authentication.
This works by introducing an additional, time-sensitive verification layer after the initial password request, often by sending a code to the user’s phone. This code is either single-use or expires after a short period of time – which means that even if a malicious third party has access to the original username and password, they are unable to pass step two without also intercepting the individual’s phone.
Other options for this additional verification layer are a second password for which only specific characters are requested or biometric data such as fingerprints. But the phone code is easy and cost-effective to implement, and as smartphones become an ever more ubiquitous feature of employees’ desks, it’s an obvious solution.
We believe so strongly in the importance of multi-factor authentication (MFA) for the future of corporate security that earlier this year we launched our own MFA solution. Our VPN tunnel and web interfaces can now be secured with a truly robust and forward-looking security measure.
We will be showcasing our MFA solutions at the giant IT-SA exhibition in Nuremberg, Germany from the 18th to 20th October. Find us in Hall 12, Booth 226.