If the keys to your house were sitting visibly outside for someone to take, would you just leave them in hopes that no one breaks in? Not likely. Similarly, the keys to the front door of most organizations are sitting on the Dark Web at the ready for use and exploit by criminal organizations and hackers. In fact, criminals, hacktivists and social hackers obtain and sell hundreds of thousands of stolen credentials on the Dark Web daily. Many times, exposure of employees’ personal credentials can lead to an internal corporate breach, where a compromise can turn into a corporate catastrophe.
When an employee’s information is compromised, hackers can socially engineer their way into a corporate network. Business owners and executives are starting to realize that helping to protect their employees’ personal identities is a fundamental element of their overall cybersecurity initiatives, not just an employee benefit.
Many times, employees give criminals easy access. For example, some employees, including high-level executives, use their work emails and passwords for social media or other consumer sites. It’s just easier to remember. But when these sites get breached, a hacker is handed the corporate keys in the way of identical emails and network passwords. Additionally, employees also use the root password that is very similar to the network password for personal use to these sites. Hackers can very easily run tools, crack the password code and again have easy access to the corporate network.
And what happens when the CEO’s Gmail password is exposed when a consumer or social media site is breached? The hacker now has access to the CEO’s personal Gmail account, and by sending an email to the CFO, Human Resources and other employees with malware enclosed, the hacker has now gone in through the back door.
Organizations can either take action to protect corporate systems and assets from the Dark Web or they can keep their head in the sand and suffer the costly consequences – likely sooner than later. Hacks, leaks and data breaches are at a record high of unprecedented portions – i.e. Verizon, Deloitte, Equifax and the list goes on – so it’s just a matter of time.
Unfortunately, the preventive action that organizations generally take is not nearly enough. Because 81 percent of hacking-related breaches leverage either stolen and/or weak passwords, most believe that frequently changing passwords after a credential exposure is sufficient. But, it’s a temporary and insufficient fix.
Organizations should be shoring up security by using two-factor authentication. An example is the recent Deloitte cyberattack that resulted in the theft of confidential documents and emails. The company said an attacker gained access to the email server’s administrator account, giving the attacker unrestrained access to the company’s Microsoft-hosted email mailboxes. This could have been avoided with two-factor authentication. Requiring an extra step beyond a username and password, two-factor authentication is not a new concept but can be effective in stopping intruders from gaining access and stealing someone’s personal data or identity.
Further, security awareness training for all employees, including executives who tend to have high exposure rates, is also critical. An organization’s security strategy will only work if employees are properly trained and know what and what not to do. Organizations should work toward changing the culture of the workplace to focus on the importance of security and getting buy-in from employees as an added layer of defense against increasing attacks. Personal and credit monitoring solutions are also an important and logical step toward securing corporate systems.
What other cyber security practices have been implemented in your organization? Tweet us at @ID_Agent and let us know.