Last week, it was reported that over one million Google and Yahoo accounts were being sold on the black market online where usernames, email addresses, and passwords stored in plain text were all on offer. This hoard of compromised user accounts and credentials is thought to be harvested from a collection of breaches dating back as far as 2012.
In the fast-paced world of cybercrime, it may be surprising to some that hackers are selling email account credentials that are several years old, but much of that information may still be valid if victims do not practice proper email and password security hygiene and regularly update passwords.
It can be difficult for IT departments to convey the importance of email security to busy workers who are juggling a number of responsibilities and might re-use personal passwords for convenience. However, all companies, no matter the size, need to ensure that email security is a priority. Smaller businesses are just as vulnerable to hacks, and can often find it harder to repair the financial and brand damage that an attack can afflict.
If employers are finding it difficult to engage employees in the security process, they should focus on one key message: email accounts are our most important digital asset – both personally and professionally. They’re the gateway to our entire online portfolio, so protecting data with a secure password is critical. Hackers that gain access to your email via a weak or reused password can learn of other accounts you have online, and then use your email account against you to reset nearly any online account that you have. Even the likes of Mark Zuckerberg aren’t immune to this practice. Both his Twitter and Pinterest accounts were hacked after a LinkedIn data dump of passwords.
The good news is that it is possible to implement a simple security strategy throughout the organisation. The following steps cover off the key pillars of an air-tight employee email security policy:
Change passwords every quarter
Unique and complex passwords are the first line of defence for email accounts, but even the best passwords have a shelf life. Changing your passwords every quarter is an easy, proactive measure you can take to protect your account, especially since breaches are typically disclosed months or years after the credentials are stolen and sold. The Yahoo hacks, which compromised 1.5 billion accounts, only became publically known towards the end of 2016, even though the attacks occurred in 2013 and 2014 respectively.
In a worst-case scenario, adopting the practice of regularly changing passwords will limit the amount of time cybercriminals have access to your hacked account. However, having to change passwords across all your accounts regularly can be both time consuming and confusing. Not only do you want a strong combination of numbers and characters, but they also have to be unique across all of your accounts. The fastest and easiest way to refresh all your passwords securely is to use a password manager that includes an auto-password change feature, allowing you to change account passwords in a single click.
Enable two-factor authentication (2FA)
Two-factor authentication is one of the most effective and simple methods to protect your email accounts beyond a strong password. In addition to entering a password, 2FA users must enter a second piece of information to gain access to their accounts, such as a one-time code sent via text or app on your mobile device, or even using fingerprint. Regardless of the form your two-factor authentication takes, it ensures that hackers cannot break into your email, even if they have your password. By adopting 2FA, user credentials are also protected from password guessing software, eliminating the collateral damage from successful phishing attempts, and adding an extra layer of protection for your employees and customer data. Increasingly organisations are seeing the benefit of 2FA, and implementing it centrally as part of wider security policies.
Ensure your employees take responsibility for their work email
A recent study by BitSight found that in the last 15 months, at least one out of every 20 Fortune 1000 companies had experienced a publicly disclosed breach. And despite these breaches, Fortune 1000 companies’ security performance has recently declined overall: 52 companies made an effort to improve its security, while 103 companies experienced rating drops from October 2016 to January 2017.
This cautionary tale goes to show that even the largest and most profitable companies can struggle with security. As such, employees are the first line of defence of their own email, and should take precautionary steps to bolster their account security whenever possible. Unfortunately, this is still a pain point for businesses.
Recent research into the psychology of passwords revealed more than a third (39 per cent) of people create more secure passwords for personal accounts over work accounts. Additionally, we found that 75 per cent of respondents considered themselves informed on password best practices, yet 61 per cent admitted to using the same or similar password across accounts. Ensuring employees are armed with the knowledge to do their part in keeping the company safe from cyberattacks is a vital part of any comprehensive security solution.
Train employees in best email security practices
However, if employees are expected to be at the front line of company security, it’s important they have a clear understanding of how to practice the above steps, and keep their work accounts secure. Companies should draw up a security policy which includes all of the relevant information, explaining both how and why employees need to take email security seriously. Companies should also ensure this policy is up to date, as technology advances and practices change. For example, as more companies move into a BYOD (bring your own device) environment, employees should know what they can and can’t do in order to keep secure.
Joe Siegrist, VP, LastPass
Image source: Shutterstock/kpatyhka