Supply chain attacks have been making headlines, shining a renewed spotlight on the vulnerabilities the shipping and logistics industry can unintentionally introduce to its customers. This is an issue with which West-Mark is extremely familiar. As a manufacturer of trucks and trailers, we are an essential supplier for numerous organizations in highly-regulated industries, including the US Department of Defense and the US military. We follow a strict security protocol to ensure our sensitive data, and that of our customers, is protected at all times, which is how we uncovered the gaping vulnerability passwords often pose.
NIST Compliance Pinpoints Password Weaknesses
West-Mark has numerous government contracts that require us to comply with the most current NIST cybersecurity guidelines. A key component of NIST recommendations is adopting a modern approach to password security that screens new passwords against those known to be commonly used, expected, or compromised. As part of adopting NIST’s recommendations, we implemented a risk analysis that uncovered passwords as our most significant vulnerability.
Understanding the Password Problem
Fundamentally, password vulnerabilities come down to human behavior. It’s easy enough to implement firewalls and conduct virus scanning but educating employees on password best practices—and ensuring they adhere to these policies—is incredibly difficult to control. Among the chief contributors to the password problem are:
- Poor Password Practices
Despite frequent guidance to create strong, unique passwords for every online account, remembering numerous complex passwords in our digital age is a productivity and efficiency hurdle to overcome. This often leads to poor password behavior from users, like using the same basic root phrase with minor changes for different accounts, like “WestM@rk!” or “Westmark1!
- Password Reuse
Password reuse is another example of a practice employees acknowledge is insecure but continue to do anyway. The fact that people often reuse passwords across work and personal accounts is particularly troubling; 62% of employees in one survey admit to this poor practice. If just one of the accounts suffers a breach then it’s a sure bet that the compromised password is available for hackers to purchase on the Dark Web and utilize in ongoing attacks.
A Modern Approach to Password Security
People may be the cause of password security headaches but it’s unrealistic to expect their behavior to change. In addition, numerous studies have documented that legacy password management approaches like time-based resets and complexity requirements actually produce a detrimental effect on credential security.
For these reasons, West-Mark knew we needed a modern approach to password security that followed NIST guidelines on screening passwords for exposure.
After researching credential screening solutions we selected Enzoic for Active Directory. One of the factors that distinguished Enzoic from other market players was the company’s dynamic database. Unlike static blacklists, it is automatically updated multiple times a day with the latest breach intelligence, meaning West-Mark’s credential security changes in response to the evolving threat landscape.
Ensuring Passwords Remain Secure
NIST recommends that companies screen all new passwords but Enzoic takes this a step further. In addition to vetting credentials at their creation, the solution also checks for exposure on an ongoing basis to ensure that a previously safe password has not become compromised. Should this happen, we can automatically activate a remediation plan to contain the threat.
Enhanced Password Security with Less User Friction
Prior to implementing Enzoic, we required employees to reset their password every 90 days which resulted in the usual amount of user frustration and IT headaches. This friction is virtually eliminated with Enzoic as the screening happens entirely in the background, and a password only needs to be changed should a compromise be detected.
The only constant in today’s security landscape is change. Through our partnership with Enzoic, we’re much more prepared for the evolution of credential-based attacks and able to keep our business—and our customers’ data—secure.
