The Strongroom

Your employees’ credentials: They’re out there, somewhere

8th November 2018


Written by Jason Wild

With new mega-breaches being reported almost weekly these days – the latest being Cathay Pacific – it’s a fair bet that a significant number of your employees have username/password combinations floating out there in the deep darknet, somewhere.

That’s a big problem when it comes to cybersecurity risk for your business. It’s very common for employees to reuse passwords and usernames across personal and company devices, websites and applications. When those credentials are compromised, via breaches such as Cathay Pacific’s, they open your company up to attack.

Fortunately, there are a number of practical steps you can take to significantly reduce your risk.

1. Educate your staff

Your staff need to know that they must keep their work and private online lives separate. It’s a matter of education: Many people simply might not have considered that if they use a company email address for a private service (such as online shopping, social media sites or cloud storage), and that service is breached, they’ll expose your entire company to an attack. Stipulate in your information security policy that under no circumstances are company email addresses to be used for private services, and remind employees of this often.

2. Implement a password manager

Credential reuse happens because it’s nigh-on impossible to keep track of the dozens of password and email combinations we all need nowadays, without writing them down (which is, of course, another big no-no). Make it easier for your employees by signing up for a corporate plan with a password manager service. This will hold your employees’ passwords securely; most will also automatically serve them up to trusted sites and apps.

3. Enforce multi-factor authentication (MFA)

MFA works by requiring additional authentication on top of your password. Google and Microsoft both have free authenticator apps that work with a wide variety of sites, and there are other paid-for solutions for enterprise customers. Educate your staff about the importance of using MFA across their personal sites and apps, and enforce its use for company sites and apps.

4. Implement an anti-phishing programme

The vast majority of breaches use stolen credentials that were gained through phishing campaigns, which have become increasingly sophisticated, personalised and difficult to spot. Anti-phishing programmes can be an affordable and very effective way to reduce the likelihood of your employees clicking on phishing links. Check out Origin Security’s Phriendly Phishing Programme here.

5. Regularly check if your employees’ credentials have been leaked

Use a darknet monitoring site to see if employee information has been leaked. Spycloud has a corporate plan that allows companies to check their entire domain. Encourage your employees to regularly check their personal email addresses as well. You can register (either as an individual or as a company) to be alerted if your email address is leaked in the future. If an employee’s personal or company password has been leaked, have them change it immediately. Make sure they change it on all the sites they use it for.

Encouraging - and where possible, enforcing - good password discipline among your staff will go a very long way towards reducing the likelihood of a major security incident or breach.

For more practical steps that businesses of any size can take to improve their security posture, see Five Steps You Can Take Right Now to Improve Security, No Matter Your Size.

Jason Wild

Information Security Consultant

Jason provides information security consulting as part of our vCISO offering. He has 29 years’ experience in the IT industry, with over 20 years in management and consulting roles.

Join the Strongroom
Join The Strongroom and get a regular round-up of news and views to keep you up to date with the fast moving world of cyber security.