Here at My IT, we use tools to actively monitor the dark web for data breaches concerning our clients. We then present that information to our clients so they can act on it in a timely manner. This is all well and good, but often I hear the argument that information on old data breaches isn’t worth their time. Executives say those passwords have been reset or that that email is no longer in use. Another objection is that if hackers have not used that information by now, then they either won’t use it, or they already tried, and the info is no longer valid. However, there is a flaw in that logic.
The Hasso Plattner Institute conducted a study of roughly 1 billion user accounts where they concluded that 20% of users were reusing old passwords. Additionally, 27% of users’ passwords were at least 70% identical to their other passwords. This indicates minor changes to a core password. For instance, if the core password is "Password1”, users will use variations such as "P@ssword", "Password2" or "Password1!".
Cyber-criminals are a crafty and patient bunch who are good enough at what they do to make a living off their exploitative endeavors. They utilize sophisticated tools to analyze data across social media to use in spear phishing attacks and to crack your passwords that are found in data breaches. They then use all that information to attempt credential stuffing attacks. These attacks take usernames and passwords and stuffs them into the login pages of multiple digital services across the web. Because these are all automated systems, the hackers can run attacks on millions of accounts per day with ease. On top of that, they have no reason to stop running those attacks. This means that if an employee were to use their old password from, let’s say, the LinkedIn data breach on their new work-related account, then there is a good chance that their account will be compromised even though the last time they used that password was a few years ago.
Here is another scary statistic for you to consider. While very large companies, such as LinkedIn, can weather the storm of having their brands diminished by these attacks, Paychex found that as many as 60% of hacked small and medium-sized businesses shut down within 6 months of a data breach becoming public knowledge. [That percentage is consistent across numerous studies and reports from different sources.] Also, they found that more than 70% of attacks are targeted at small businesses. That is a recipe for disaster for SMBs.
With all of that said, the faster we can alert our clients to newly found vulnerabilities, the better for everyone involved. We can then work with them to block those accounts and/or force password resets, but that is all reactive and we prefer to be proactive as an IT support company. We’ve learned that the best way to stop users from reusing those same, or similar, passwords on other services, and to also help them adhere to their company policies, is to provide regular cybersecurity training for all employees (especially executives) and to use a password manager.
Password managers have browser plugins for computers and apps for mobile devices that will randomly generate unique passwords for accounts, encrypt and store those credentials in a secure place, and help users audit their current accounts for weak or reused passwords. This way, employees only need to remember their one password for the password manager in order to access all their other secure and random passwords. This takes the laziness of password creation out of the user’s hands, making it exponentially harder for a cyber-criminal to crack their passwords. It also prevents other cybersecurity risks, such as having sticky notes around the office with passwords written on them or having colleagues shout out passwords across the office in earshot of customers.
Being proactive and following these procedures will vastly improve a business’ cybersecurity and will absolutely help to mitigate future data breaches. Remember, all it takes is one employee being lax about cybersecurity to bring down an entire company.