With our homes now becoming our new offices cyber security becomes even more important. Staff need to appreciate that whilst home working can offer a better work life balance it also presents criminals an increased opportunity for fraud.
Everyone is familiar with the critical protection offered by individual passwords that are an effective way to control access to your data, the device you store it on and the on-line services you use.
However, 21st century criminals are familiar working within the cyber universe to break the first barrier, your data. They will use the most common passwords to try and access your accounts, or use information from social media profiles to guess them. If successful, they will use this same password to attempt to access your other accounts.
Criminals also try and trick people into revealing their passwords by creating fake ‘phishing’ emails that link to dodgy websites, or by using persuasive techniques through social media.
Even if you look after your passwords, they can still be stolen if an organisation containing your details suffers a data breach.
Criminals will use these stolen customer details (such as user names and passwords) to try and access other systems.
As a reminder of good practice the National Cyber Security Centre have highlighted the following five things to keep in mind when using passwords:
Set a screen lock password, PIN or other authentication method. This is not just for your smart phones as computer equipment should have an encryption product built in that needs to be turned on and configured.
If possible use a two-factor authentication (2FA) as it adds a large amount of security for not much extra effort. 2FA requires two different methods to ‘prove’ your identity before you can use a service, generally a password plus one other method. This could be a code that’s sent to your smart phone (or a code that’s generated from a bank’s card reader) that you must enter in addition to your password.
If you are in charge of IT policies within your organisation, make sure staff are given actionable information on setting passwords that is easy for them to understand. Passwords should be easy to remember, but hard for somebody else to guess. Staff should also avoid using the most common passwords such as ‘password’, ‘123456’, ‘qwerty’ or using your favourite football team or partners date of birth, etc. Remember that your IT systems should not require staff to share accounts or passwords to get their job done. Make sure that every user has personal access to the right systems, and that the level of access given is always the lowest needed to do their job, whilst minimising unnecessary exposure to systems they don’t need access to.
Remember, your staff will have dozens of nonwork related passwords to remember as well, so only enforce password access to a service if you really need to. Where you do use passwords to access a service, do not enforce regular password changes. Passwords really only need to be changed when you suspect a compromise of the login credentials. You should also provide secure storage so staff can write down passwords for important accounts (such as email and banking), and keep them safe (but not with the device itself). Staff will forget passwords, so make sure they can reset their own passwords easily. Consider using password managers, which are tools that can create and store passwords for you that you access via a ‘master’ password. Since the master password is protecting all of your other passwords, make sure it’s a strong one, for example by using three random words.
One of the most common mistakes is not changing the manufacturers’ default passwords that smart phones, laptops, and other types of equipment are issued with. Change all default passwords before devices are distributed to staff. You should also regularly check devices (and software) specifically to detect unchanged default passwords.