Cybersecurity attacks are becoming more pervasive and seemingly effortless to pull off. Cybercriminals who can execute a successful attack are seizing credit card numbers, bank account information, and even Social Security numbers. You can strengthen your organization’s cybersecurity risk management plan by addressing this one vulnerability: weak passwords.
The capture or reuse of passwords, or “static credentials” as they are often referred to in the IT industry, is standard practice for organized crime groups. Likewise, passwords are used against all kinds of targets, from the largest organizations to individuals.
A common misperception is that cyber attackers have become so sophisticated that something as simple as a password is no longer effective. This could not be further from the truth. Individuals have the most power in preventing attacks that exploit passwords, which is why a policy on passwords should be a key component of your firm or organization’s cybersecurity risk management program.
One of the ways cyber attackers breach systems is by using software that repeatedly tries combinations of letters and characters until it finds your password. Weak passwords are easily crackable for a password thief. What’s a weak password? Generally, if your password can be readily found in a dictionary—or on the internet—it’s weak. If your password is an easy-to-remember name such as that of a child, spouse, pet, car, person, or place—it’s weak.
Adding numbers to your pet’s name might help get your password approved by system validation requirements (e.g., “Your password must contain at least one uppercase letter, one lowercase letter, and one number.”). Unfortunately, with the strength of today’s password crackers, numbers alone, particularly those in sequence like “123,” provide little added protection.
Essentially, you want to fight password cracking technology with password protection technology. Random password generators use statistical methods to create passwords that are very hard to crack. Some password generators offer pronounceable passwords that, while not real words, are easier to memorize. Another option is to use an encrypted password manager on your smart phone, tablet, or computer. Because the password manager is encrypted, it cannot be accessed even if you lose your phone.
With cybersecurity threats on the rise, there is demonstrable need for both large and small organizations to have comprehensive cybersecurity risk management programs in place, and to assess and report on them using standardized tools.
For questions on how to improve your cybersecurity, consult a Certified Public Accountant.
Submitted by: Michael Rosciam, CPA.CITP, CISA, IT & Assurance Services Director, Thomas Howell Ferguson P.A. CPAs, email@example.com, (850) 668-8100.