This evening’s episode of Panorama on BBC One, Fighting Cyber Criminals, examines the 2023 ransomware attack on KNP Logistics, as well as the recent attacks on Marks & Spencer, the Co-op and Harrods.
KNP, a Northamptonshire haulage group that included the 158-year-old transport company Knights of Old, lost access to all its data after the Russian Akira group accessed an employee account by exploiting a weak password.
Despite reportedly complying with industry standards and holding insurance against cyber attacks, the company couldn’t recover its data and entered administration. The BBC reported at the time that 730 employees would be made redundant.
If one weak password can cause such damage, it’s clear that enforcing a strong password policy should be part of every organisation’s cyber security processes. How, then, do you implement the measures you need?
Layered security: multifactor authentication
The most practical way of doing this is with MFA (multi-factor authentication).
With MFA, individuals enter a password as normal, but must also provide a second piece of information that confirms that they have legitimate access to the system.
This is typically either ‘something you have’ (such as a code sent to your phone) or ‘something you are’ (such as a fingerprint scan).
By doing this, you mitigate the risk of password compromise. An attacker might have your login details, but they still need additional information to access your account.
MFA isn’t foolproof – there are techniques that criminal hackers can use to obtain the necessary information. However, it removes a significant threat and ensures that a password breach alone is not enough to compromise your account.
Many online services give you the option of implementing multi-factor authentication, including Amazon, Apple, Facebook, Google, Instagram, Microsoft and PayPal.
Most of those sites don’t have multi-factor authentication in place by default, so you will need to adjust your settings to set it up.
The website 2FA Directory contains a full list of websites that support multi-factor authentication.
Strong passwords: three random words and password managers
Even with multi-factor authentication, it’s a good idea to get into the habit of creating strong, unique passwords for each account you have, especially if they’re linked to the same username – often your email address.
That way, if your login details are compromised, you can at least limit the damage rather than risking the security of all your online accounts.
Traditional advice is to make passwords complex, to use upper- and lower-case letters, numbers and symbols, and to change them regularly. However, this approach is almost impossible for the average user to follow.
Modern advice is therefore to use passphrases, such as three random words, rather than passwords.
Phrases are much easier for people to remember than random combinations of letters, numbers and symbols, and when it comes to password strength, length matters more than complexity: with every character you add to your password, its inherent security increases.
As long as your longer passphrase isn’t reused or on a list of common passwords, it should be considerably more secure than a shorter password, even if it might not seem more complex.
An alternative is to use a password manager, which generates and securely stores complex passwords for you – that way, you only need remember one password.
Do you teach employees about password security?
Password security is arguably the most important part of cyber security. An organisation can have the most robust mechanisms in place to prevent cyber attacks, but if an employee uses a weak password or leaves it written down and publicly available, it’s tantamount to leaving the door to your office unlocked overnight.
You might get lucky and avoid a break-in, but for how long? Cyber crime is an ever-present threat, and it’s only a matter of time before you come under attack. That’s why it’s so important to train your staff about the risks associated with poor password practices.
Our Cyber Security Staff Awareness E-Learning Course is ideal for rolling out staff training quickly and cost-effectively.
It explains the dos and don’ts of password security, and details other essential security tips that your staff should be aware of, such as the threat of phishing and how to handle sensitive documents and portable devices.
- Use NCSC (National Cyber Security Centre)-certified expertise to reduce the risk of security breaches and incidents by embedding a culture of cyber security in your organisation.
- Learn what cyber security is, the consequences of a cyber attack and why security is everyone’s business.
- Empower your staff to spot malicious activity and know what to do if they see a problem.
A version of this blog post about password security was originally published in May 2022
The post How One Weak Password Destroyed a 158-Year-Old Company appeared first on IT Governance Blog.
