What is the biggest threat to cybersecurity or IT infrastructure right now? According to one of Canada’s premier cybersecurity experts, if you answered malware or ransomware or crypto, you’d be wrong.
According to Calgary-based cybersecurity leader Sonya Goulet, the most significant risk is the end user. A team of hackers can unleash the most potent cocktail of malware on a system, but if no one opens it up, the attack is rendered useless. Or, another threat, she says, are weak passwords. A hacker may have the intent to deploy the most destructive malware on a system, but if the password is almost impenetrable, then the attack is neutralized.
“All cyber threats evolve quickly and often, yet the end user is still disregarding simple tips to keep an enterprise safe, for example, using proper passwords,” Goulet points out. Smarter MSP caught up with her to ask her about the most significant threats today and what MSPs can do to mitigate them.
Goulet advises that MSPs and CISOs should be focusing on proper password hygiene. She says a good password should follow guidelines set by the National Institute of Standards and Technology (NIST).
“I also recommend making a password a meaningful passphrase, at least ten complex characters long. My second piece of advice is to use a Password Manager, like LastPass,” Goulet says. But having an enterprise get to a point where everyone is on board takes time and training, she adds.
She goes on to point out that staff can let the password manager create passwords for the sites they visit, so they don’t have to think or remember any of the hundreds of passwords needed in their day-to-day life.
“They feel positive knowing they only have one password to remember going forward, and that password is to access their password manager account,” Goulet offers, adding that most people are relieved by the simplicity of it.
In Goulet’s work with companies to beef up their best practices, she finds that weak passwords are a prolific problem.
“I found that while I work with staff on cybersecurity practices, they all admit to me that they keep the same simple password and use that one password across all of their online websites. They also admit to never changing their passwords,” Goulet states.
This is a big problem
A recent study by ID Agent illustrates the size of the problem:
- At least 65 percent of people reuse passwords across multiple sites.
- Around 13 percent of people use the same password for all accounts and devices.
- About 80 percent of data breaches in 2019 were caused by password compromise.
- Compromised passwords are responsible for 81 percent of hacking breaches.
- The average person reuses each password 14 times!
- An estimated 49 percent of employees only add a digit or change a character in their password when they’re required to update it.
- Passwords were leaked in about 65 percent of the breaches that happened in 2019.
In today’s evolving and dynamic threat landscape, carelessness when it comes to passwords is a gaping hole in an organization’s defenses.
Passwords, however, are just one aspect of how an end user can compromise a network. Other problems can occur with improper data hygiene and becoming complacent with clicking links in emails. Such sloppy clicking can lead to the deployment of all sorts of malware. To head off some of these, Goulet recommends MSPs do the following:
Create easy steps to follow
Examples, Goulet says, include teaching staff what data is vital to protect, and showing staff how to look for phishing or vishing attempts, teach or review with staff to scan everything in emails and verify by a phone call if needed (using the old President Reagan phrase of “Trust, but verify”).
“In order for staff to care about what they are protecting, leadership has to guide them,” Goulet advises. That means making workers feel invested in the company or enterprise so that everyone has a stake in its survival. Show staff what the fallout could be from clicking a bad link. Businesses have had to shutter because of malware, and that should make everyone shudder.”
I found that most staff don’t care enough with what link they click, or what password they use, or what data they share with other staff members. All of those issues are an evident need for improved policies and procedures,” Goulet concludes.