Email Security

Email Security

Yet again we have had another item about cyber-attacks within the public sector. This time it’s around weak passwords. Yes, there were policies on how to conform to the Parliamentary Digital Service yet up to 90 users didn’t?    

I’ve had a lot of conversations with customers around Cyber Security. Without doubt, the most commonly overlooked (ignored!) area is around passwords. Including:

  • Simple passwords (Family, per, Birthday etc)
  • Passwords written on post it notes and/or in a notebook
  • Spreadsheets (Secured or unsecured)
  • Using default passwords
  • Not changing passwords regularly

The people with the power and authority to run and manage the business, when compromised, can do the greatest damage. Ironically, they are the people least likely have the time to work on it or know how to protect themselves.

  1. Example: Sharing User id’s.

MD is going on holiday and leaves their it credentials with a colleague to cover them while they are away. The colleague leave the company sometime later and their credentials are removed. However, they made a copy of the MD’s information and they can log in whenever they chose as the MD doesn’t like to change his passwords.

  1. Example: Spear Phishing.

Two different phishing emails sent over 2 days to a small group of users. Email titled 2017 Recruitment Plan hit’s your filters and gets put in junk. You only need one employee to open the .exe/pdf/.xls/ file and a backdoor was installed. The phishing activity successfully harvests credentials:

Leading to any of the following outcomes:

  • Boss email to finance to pay fraudulent invoice using a legitimate email inbox
  • Hacker sets up email forwarding for all inbound and outbound email track all communications
  • Use MD’s email from a small SMB to break into the next largest organisation in the supply chain as they look for a backup door into an enterprise account.1  

Phishing attacks are an ever-increasing attack vector for ransomware. Phishing and Overconfident users have created the statistics below from a mock phishing attack. Showing who said they click vs who did clicked.   

Friedrich-Alexander University (FAU) – Dr. Zinaida Benenson

78% of participants were aware of the risks let 45% and 25% of people still clicked!

Password Vault

A password vault will help remove the issues and concerns for users around the administration and control of system and software access.

Current password vulnerabilityPassword best practice
Simple passwords (Family, per, Birthday etc)Password VaultOne complex password to remember which holds all your other passwords.
Passwords are written on post-it notes and/or in a notebookPassword Vault Polices:Nothing is written down, all stored securely in electronic form
Using default passwordsPassword Vault Polices:Automatic prompting to change pw
Not changing passwords regularlyPassword Vault Polices:Automatic policies prompting for Qtrly PW change
 Password Vault additional benefits:Role based accessTwo-Factor authenticationAuditing & Compliance reportingAutomatic backups of password vaultReset passwords everywhereMobile client support 

For SMB organisations that work with highly confidential and/or personal data, there will be a higher priority due to the General Data Protection Regulations coming into law in May 2018. By combining a password vault with 2-factor authentication and good user training, your business and your customers can significantly reduce your exposure and vulnerabilities.

2-Factor Authentication

By including 2-Factor authentication and a Password Vault with group and policy controls, you are well on your way to enhancing the security for your business and your customers.

User Training

Another part of the equation is user training. Here we address the heart of the problem by offering a Cyber Awareness Session for non-technical users and business leaders.      

No systems are 100% secure, however, by combining Cyber Security best practices around your technology, users and processes, you have a fighting chance.