What would you do if your customers stopped paying your invoices? How would your business react if the payments due to you were being paid to a cyber-criminal instead? The situation would be less than ideal to put it lightly. The importance of password protection and management is growing exponentially as Cyber-Criminals are finding new and more innovative ways to gain access to company systems. This is exactly what can and is happening with hundreds of businesses throughout the UK on a daily basis and there’s two root causes for this:
– Spoofing Identify by appearing as your business by creating a new fake email address designed to look like your business and your invoice templates
– Gaining access to your legitimate email account and/or invoicing platform
To combat these and help protect your business Texaport recommends employing a multi-layered “Holistic” approach to your business’ IT Security. A cornerstone of which is user-awareness and “good password/account hygiene”. The key to securing your company, users and hardware is to ensure your passwords are always secure as they are the key to your digital life and business and should be treated as you would the keys to your business, home or car. If you lost your keys or had reason to believe they’d been copied or compromised, you would change your locks. If you have reason to believe your password is not secure or has been copied, you should change it.
Cyber-Criminals can gain access to your business email account and invoicing platform passwords in two common ways (there are others but most employ one or both of these methods in their execution):
1. Brute Force
a. Brute force is a method of “cracking” a password through trial and error. The Cyber Criminal would run a program which cycles through potential passwords until the right one is discovered. Once it has been discovered, the criminal has access to the account(s) as well as any other services that password would be used for. TO find those services the criminal would typically search through emails to find notifications from services such as eBay, Amazon, Xero etc.
b. Brute Force can be limited in effectiveness by:
i. Using unique passwords for each service
ii. Limiting the number of password attempts before locking down the account
iii. Increasing the length and complexity of a password.
2. Spoofing a legitimate email
a. A common and incredibly easy method for criminals to gain access to your important accounts is to send an email appearing to be from your provider asking you to sign in. The links may seem legitimate and the page they take you to could also appear to be correct. Once you have submitted your information the page will redirect you to the legitimate service to login again and you would have no reason to believe you’d been compromised.
b. Spoofing can be limited in effectiveness by:
i. Not following links in emails
ii. Paying attention to the sender’s email address
iii. Paying attention to the link in the email and ensuring it is legitimate
iv. Verify the web address you have gone to is legitimate
v. Deploying a “Web Filter” which would block malicious or impersonating websites.
As cyber criminals are able to exploit new vulnerabilities and deploy new tools to attack businesses and their supply chains, companies should be employing a holistic approach to the security and integrity of their data, hardware and users to reduce the risk of this. Hardware and Data security are essential components of an approach to security, but these are redundant if the end user is unaware of the threats and can usher a criminal through the defences to sensitive data or systems.
Some key considerations in securing your password are:
1. A strong, enforced, password policy
2. Don’t share your password(s)
3. Don’t re-use your password(s)
4. Store your password(s) securely
5. Change your password if you are concerned that it might have been compromised, shared or breached.
Password security an integrity is a key element of data protection and Cyber Essentials, to find out more about securing your organisation, users, hardware and software email firstname.lastname@example.org.