Repercussions from the ongoing pandemic are still reverberating through workplaces all over the world. Businesses are racing to catch up with the changes they’ve had to make to accommodate remote workers, digitalization, and new cloud technologies.
Many have let their cybersecurity practices fall to the wayside in a rush to evolve with the times. In a report by PwC, 64% of CISOs and CIOs said they expect a jump in reportable ransomware and software supply chain incidents during the second half of 2021.
Moving forward, one of the biggest challenges businesses will face is installing suitable security and privacy measures rapidly enough to mitigate the snowballing threats to new technologies and remote capabilities.
As the most universally adopted cybersecurity approach, password authentication methods aren’t going away anytime soon. As of March 2020, 70% of organizations relied on passwords for security. Our recent study, The State of Password Security in the Enterprise, found that 90% of the organizations surveyed plan to continue using passwords for at least a year or more, and 30% do not plan on phasing out password-based security ever. Yet, most organizations don’t feel like they have the means to address password security concerns. 61% stated that they have no means to determine when existing passwords have been compromised.
Reportable cyber incidents are expected to continue rising through the rest of the year and next. The consensus among CIOs and CISOs is that a spike in attacks is inevitable and looming. Mobile, internet of things (IoT), and cloud-based solutions are considered the fastest-growing threat vectors, according to the PwC study.
Updating password security protocols to reinforce a critical layer of protection for these vectors will be vital in the coming months as more potent threats emerge.
Cybercriminals leverage stolen or weak passwords to gain privileged access to company networks and applications. As workers have gone remote, it’s even easier for bad actors to gain unauthorized access via even less secure home devices, networks, and applications. Companies need to cultivate a cybersecure culture throughout their organization to ensure all employees have the knowledge and training necessary to mitigate cyber incidents and attacks.
Ransomware attacks are making more money than ever. In March, CNA Financial paid a whopping $40 million to cybercriminals who locked them out of their network with malware. The average ransom paid in these attacks has risen dramatically over the past two years. Between 2019 and 2020, ransoms grew 171% year-over-year. Weak and compromised passwords are directly linked to costly and highly disruptive ransomware infections. The cyberattack on Colonial Pipeline that wreaked havoc back in May was due to a single compromised password.
Compromised credentials is the most common initial attack vector for data breaches this year, according to IBM’s Cost of a Data Breach Report 2021. 20% of breaches were caused by compromised credentials costing organizations $4.37 million on average. Phishing is the second most common attack vector comprising 17% of breaches. Business email compromise had the highest average total cost at $5.01 million, and phishing attacks had the second-highest cost, landing at $4.65 million on average.
A breach caused by compromised credentials also takes the longest number of days to identify and contain. The total lifecycle of a compromised credentials attack is almost an entire year, 341 days. This means that it took an average of 250 days for a business to detect a credentials-based attack and 91 days to contain it, undoubtedly adding to the costs of such an attack.
When billions of passwords from past data breaches are available in hacker forums online, adequate password protection is not a nice-to-have but a must-have. Businesses must practice proper cyber hygiene and enforce strong password security policies to help mitigate the damage of these expensive, pernicious security breaches.
Gartner forecasts that organizations will increase their security and risk management spending by 12.4% this year, reaching $150.4 billion worldwide by the end of 2021. Cybersecurity initiatives are a top priority for companies as more and more realize how far we’ve fallen behind in keeping up with the evolving cyber threat landscape.
Fortunately, businesses can take a simple first step toward closing the gap in their password security layer. Restricting the use of compromised credentials in your systems is an easy way to strengthen overall password security. Prevent the authentication of previously exposed usernames and passwords and screen the creation of new user-selected passwords against previously exposed passwords. This way, no one in your organization will be able to use known, compromised credentials that have been exposed in third-party security breaches.
As our digital capabilities progress, so must our strategies to defeat cybercriminal activity. Proactive password security is a crucial element of healthy cyber hygiene. We’ll be taking a deeper dive into password-based security and best practices in this blog series on preventing compromised credentials attacks. Look for our next installment focused on busting the myths surrounding password security.