Perhaps you have heard of the huge password breaches that online giants like Yahoo have suffered in the past years. Perhaps you’ve also thought that those breaches wouldn’t disturb your business. Another website getting hacked shouldn’t affect another one, right? Not exactly. Where there is easy profit to be made, hackers are usually lining up. And the possibilities of making money is far from over after an initial breach. What happens next can be hugely damaging to companies other than the one that was hacked. And the attackers hit you where it hurts – in consumer trust.
Credentials sold on the darknet
When user accounts get hacked, the hackers aren’t going to keep the stolen credentials to themselves. Username, password and possibly other personal information often gets leaked onto open websites or the darknet.
When someone has gotten their hands on these credentials, they can use them to gain unauthorised access to the breached website, but also on other sites. Such as yours. The only thing the breached site and your site need to have in common is users. More specifically users that use the same or similar credentials on both sites.
Users that pick the same password for multiple accounts are some of the most low-hanging fruit for cyber-attackers. Using an automated process, the attackers can “stuff” credentials from a breached site into yours. This is how attackers can use a password breach on another site to gain access to your user accounts and harm your credibility in the process.
For more on how credential stuffing works, read our blog entry that explains this in depth.
Value the trust of your customers
The anonymity of the internet creates few opportunities for your business to truly interact and get to know people. Gaining the trust of customers is an invaluable resource for a business. Therefore, protecting your users from the horrible consequences of hacking (such as identity theft and fraud) is in the best interest of both them and you.
If you’re operating an international mega business, bearing the storm of a password breach and recover from it is probable. For a smaller business, recovery can be a slow struggle with a significant loss of consumer trust as well as revenue. Being proactive is both possible and advisable.
How safe are the passwords that your employees pick?
Passwords are the first line of defence for businesses to protect themselves from attacks. In some cases, the only one. While you should be concerned about the passwords that your users choose, you should also evaluate those used by your employees. As much as 39 percent of respondents to the “Psychology of passwords executive summary” by LastPass stated that they create more secure passwords for personal accounts than they do for work accounts. That’s more than 1 in 3 employees.
Bad habits die hard, especially the ones we don’t even know we have or think aren’t made a priority by the people in charge. Some of your employees probably think that their passwords are just fine, or figure that they don’t deal with anything top secret anyways. Maybe they feel that cybersecurity isn’t being made a priority in the company and are busy getting on with their work.
Even password managers get breached
Passwords managers are a great tool to keep your data safe. You have only got to remember one master password to log into an encrypted vault that stores all your other passwords. Not using a password manager makes you an easy target for hackers. But even password managers can be breached, possibly leaking your business credentials and hurting your credibility in the process.
Just like with any other service there are good and less good ones available, and even the best password managers can experience issues with bugs. However, even with these problems security experts are largely in agreement that passwords managers are the safest way to manage credentials.
To minimise the risk of your credibility being affected by a breach of a password manager, do your research. Type the names of different password managers along with “breach” or “hacked” into search engines and see if anything pops up. Have a look at Twitter to see what is being said about them. Explore what passwords managers are used by experts in the field. Consider that if you can’t find any reviews, that’s not a good sign. You should be using a password manager that already has many happy clients. How a password manager has handled a breach or uncovered flaw can also be telling. Did they only act after being caught, or where they forthcoming towards their users from the start?
Leave breach fatigue in the dust
The news of data breaches seems to be endless these days. Still, it might seem difficult to realise the tangible consequences behind the abstract concept of a password breach. This “breach fatigue” is likely to affect both your users and yourself. Users might not change their bad password habits. Perhaps they feel that their existing password is already strong and secure, maybe they feel changing passwords is too much of an effort or takes up too much time. Perhaps they only change their password when it is required.
For those running a business, breach fatigue might lead to the necessary safety precautions not being taken. Don’t fall into this trap. You might feel like there is nothing you can do to hinder the attackers, but there are plenty of ways for you to protect your business while helping your customers help themselves. We wish you the best of luck!