2022 Trends and Insights
Before we talk about how to ensure you aren’t creating a password hazard, let’s briefly recap some things we learned from the 2022 Verizon Data Breach Investigation Report (DBIR):
- 82% of breaches involved the Human Element, including Social Attacks, Errors and Misuse
- The number one action type for small businesses in the Verizon Data Breach Investigation Report 2022 dataset for very small businesses are ransomware attacks
- The second most common attack is the use of stolen credentials
- Phishing remains a top attack vector
So what is the connecting thread in all of this data for small and mid-size business owners? Simple, you are a target, size does not matter to hackers, people (and their passwords) are typically your biggest weakness. With all of that in mind, the Verizon DBIR suggests some important tactics to avoid becoming a target:
- Use two-factor authentication
- Do not reuse or share passwords
- Use a password keeper/generator app
- Be sure to change the default credentials of the Point of Sale (PoS) controller or other hardware/software
The list continues, and you can read the entire thing here. Notice the first four items on the list all involve credentials (AKA passwords)? It’s not a coincidence that the list of top threats and top solutions are focused on passwords, as they comprise a majority of hacking attempts and successes. Take a look at the graphic below, any guesses why hackers are going after people vs directly to the data?
The answer is pretty straightforward, all the technical protections and controls are a real challenge and hindrance for hackers. Hackers want the reward (your data!) as fast and easy as possible. Why spend weeks attempting to hack into a database or compromising a server when you can send out a few hundred emails with phishing links? A quick reminder of small business statistics:
- Small businesses receive the highest rate of targeted malicious emails at one in 323
- Employees of small businesses experience 350% more social engineering attacks than those at larger enterprises
What gives? Why so many attacks on the small business? The answer is simple, fewer employees tends to mean smaller budgets for things like cybersecurity and employee training. Instead of going after a fortune 500, spend less time/effort to hit three or four small businesses.
The Solution
There are many, remember, cybersecurity is all about layered defense (more layers of armor protect better than one stronger layer). So while it may not be a cure all, password security and training is as close to a silver bullet as a small business can find. Below is a list of password/employee safety tips and techniques:
- Implement password policy– for example, all passwords must be unique, meet complexity requirements, changed at specific intervals, cannot be reused, etc.
- Train employees on the importance of passwords– remind employees that they are the first line of defense, not the antivirus software. Criminals are using email, text, phone calls, and more to get in the door. If employees understand they are the target, they are more likely to respond correctly to threats
- Create refresher training and reminders about passwords and phishing attempts– training done annually is a great start, but ideally this would be part of a more frequent training plan. Put up signs in common spaces, add a few minutes to monthly or all-hands meetings dedicated to cyber security, show examples of phishing emails and discuss the correct responses.
- Use multifactor authentication- Find out if the services/applications your company uses have multi factor authentication available. If so, turn it on immediately and require employees to use it. This means a hacked credential is only half of a future attack
- Change all default credentials- When new devices and software are added to your business, it is critical to change/remove default credentials. On routers, switches, POS, and other hardware devices these credentials are publicly available on the web. They were designed for ease-of-use, with the intention that the credentials would be changed at first use….but most folks without an IT team fail to make those changes
Brian Vigna is a trainer, teacher, and cybersecurity enthusiast. Brian is also certified in CISSP, CompTIA Security+, CompTIA A+, CompTIA Network+, CompTIA Cloud Essentials, Microsoft Certified Professional, AWS Solutions Architect, AWS Cloud Practitioner.