Cybersecurity leaders won’t soon forget the past year. The ongoing pandemic has delivered a seismic shift in the way people work and companies operate. Millions of workers have since turned their homes into their new, remote offices, which has subsequently brought a host of risks thanks to the use of unsecured Wi-Fi and poor access controls, leaving Chief Information Security Officers (CISOs) to scramble for a solution.
At the same time, the cybersecurity stakes could not be higher: studies show that the cost of security breaches can be astronomical, with digital incidents costing businesses of all sizes $200,000 on average, with 60% going out of business within six months of being victimized. Further, weak and compromised passwords are responsible for about 80% of hacking-related breaches.
These statistics are particularly frustrating for business leaders because there are plenty of ways to improve password security. As I’ve written last year on World Password Day (May 6), strong cryptography is key to safeguarding personal and professional information in any business. One bright spot is that there are even more encryption options available today to stop bad actors in their tracks, in addition to custom device connections and company firewalls.
The problem with passwords
Let’s take a step back and consider the problem with passwords. As any cybersecurity leader knows (and will quickly tell you) the vast majority of passwords used in any organization are incredibly simple. One email address with one password is the norm thanks to user simplicity, but it also opens the door to hacker simplicity. Studies show that seven-character passwords can be cracked in a matter of minutes, rendering them almost as ineffective as no password at all.
This fact is the driving force behind World Password Day, and a fact that is only more pressing in times like these. Any hole in the cybersecurity net can quickly evolve into a breach when there are many users across many networks. Further, most companies cannot even determine whether their devices have been hacked or not. A report of companies that use IoT technology in their workplace found that about half do not have mechanisms in place to detect if any of their devices had been undermined
Security for many of today’s connected devices and user accounts relies on single-factor authentication, and this is a problem in and of itself. Passwords alone are just not enough, and thankfully there are plenty of things cybersecurity managers can implement to improve their defence posture.
The importance of public key infrastructure and homomorphic encryption
Cybersecurity leaders need to upgrade access controls, but also need to ensure the solution is user-friendly and as strong as possible. Encryption – used in conjunction with an encryption algorithm model – offers a way to meet both of these goals.
There are a few ways to go about this. Let’s begin with today’s state-of-the-art type of encryption called Public Key Infrastructure (PKI). This uses asymmetric cryptography to create an initial trust setting between the client and the target device. The generated key is simply installed on the device to replace any “password” and grant authentication. This is another form of single-factor authentication, but one which renders brute force attacks infeasible.
Further, let’s consider the potential of tomorrow’s encryption. Homomorphic encryption is a next-generation iteration of public-key encryption that uses two separate keys to encrypt and decrypt a data set. Homomorphic encryption uses algebraic systems to encrypt data and generate keys, allowing authorized individuals to access and edit encrypted data without having to decrypt it. In essence, this enables the owner or a third party (such as a cloud provider) to apply functions on encrypted data without needing to reveal the values of the data.
One of the best benefits for cybersecurity leaders is the inherent ability of the homomorphic encryption model to password monitor. Password monitoring is when cybersecurity leaders continuously run passwords against public lists of recently breached or leaked logins. That way, they can be alerted whenever their company’s credentials are available online. Previously, with traditional encryption methods, CISOs had to decrypt logins to check them against those enormous and constantly-growing lists of compromised credentials. On the other hand, with homomorphic encryption and research applications like Microsoft Edge, users retain complete privacy while password monitoring to run the still-encrypted passwords against those lists.
The dangers of inaction
The stakes are high for companies and cybersecurity leaders. Today, more remote workers equate to more potential infiltration points. Even more alarming, more active hackers are working to hold businesses up for ransom.
The FBI recently reported that the number of complaints about cyberattacks is up to as many as 4000 a day. That represents a 400% increase from what they were seeing pre-coronavirus. Interpol is also seeing an “alarming rate of cyberattacks aimed at major corporations, governments, and critical infrastructure.” These attacks are targeting all types of businesses but large corporations, governments, and critical medical organizations have been major targets.
Companies and users alike require more than passwords to remain digitally safe. In addition to beefing up password credentials with high encryption standards, cybersecurity leaders would be best advised to implement additional safeguards. First, leaders should ensure their network, software and applications are up-to-date. Remote access technologies have known vulnerabilities and are all too often the weak link that bad actors use to gain access to protected information. Make sure all software and applications are updated and patch any weaknesses that are identified.
Second, set your remote team up for success and communicate the steps they need to contribute to your organization’s cybersecurity plan. This includes training the team on best cybersecurity practices, including using secure Wi-Fi connections, creating strong passwords and passphrases, and identifying email fraud and phishing campaigns. Third, and finally, customize settings when it comes to connected devices and third-party hardware, like changing preset login details and integrating safer connection types like peer-to-peer.
The sky seems to be the limit when it comes to encryption and password protection. While the latest technology is currently used for managing credentials, it would not be a stretch to see expanded applications on the Internet of Things (IoT) and cloud computing. It is increasingly clear that strong passwords remain vital on this World Password Day, but new and improved methods are coming that could render them obsolete in the future. Watch this space.