How to Be a Target for Cybercriminals: Reuse Your Passwords
Tempting though it may be, you should never reuse a password. Every account should have its own complex, unique password or passphrase to reduce the risk of compromised credentials and account takeover attacks. Employees are often unintentionally responsible for data breaches, so organizations should ensure that their users have strong credentials that cannot be easily guessed.
That said, attackers are persistent, so it’s also important to use Role Based Access Control (RBAC) to ensure that if an attacker does compromise an employee account, there is a limited amount of data that can be accessed. If a low-level employee’s account is compromised, an attacker will be unable to access data that is most integral to operations or most detrimental if stolen.
Passwords are Critical to System Security
Most of the websites, apps, or devices that you use every day require a username and password. While some logins might require multi-factor authentication, many still rely on the security of your password, the most common method for managing access. Many cybercriminals infiltrate your systems via compromised credentials, which they can acquire by brute force attacks if your password is not particularly sophisticated. Alternatively, social engineering or infostealer attacks are common.
To be effective, passwords must be unique. If you use the same password for Google, Twitter, and your bank account, you are at greater risk of one of those accounts being compromised. Any enterprising cybercriminal who can break into one can think to try the same password on your other accounts, and it will be a big problem for you if one of those accounts shares a password. To be safe, avoid using similar words or sequences in multiple passwords.
This is especially important if you are creating passwords for both personal and business use. If your personal accounts are compromised, the last thing you want is for a cybercriminal to infiltrate your company’s data as this could lead to financial losses, compliance law violations, and lawsuits brought by affected customers.
Password Reuse is Rampant in the Cloud
If you’re reusing passwords, the bad news is you’re putting yourself and your company at risk of an account takeover attack. The worse news is everybody else is doing it too. According to a recent survey, 37% of organizations have users accessing the cloud with reused passwords. 40% of non-root users failed to set up multi-factor authentication (fortunately, that number was cut in half for surveyed root users, but the ideal number is 0%).
Between 2020 and 2021, the number of account takeovers increased approximately 90%. This type of attack occurs when an attacker discovers a legitimate user’s login credentials and then uses those credentials to access data or critical infrastructure. Should the attacker infiltrate an admin account, the damage can be much worse.
Because most CSPs use a shared responsibility model of security, they will not prompt users to periodically change their passwords or prevent reuse – that’s the consumer’s responsibility. As a result, many users who do not understand their cloud security responsibilities are very lax about their security measures. Given that one of the top attack vectors is credential compromise and subsequent account takeover, you must be more cautious.
Protecting Your Cloud Infrastructure
Fortunately, most top CSPs do provide the option to enable multi-factor authentication, force users to create new passwords, and prevent password reuse throughout the organization. However, these preventative measures are not enough to protect your organization. To best reduce your risk of infiltration, in addition to complex and unique passwords, you need strong cloud security solutions that can detect weak security configurations, potential attack vectors, and attempted exploits.
Zero-trust security with Role-Based Access Control can help manage the risks associated with cloud data accessibility. To create a zero-trust environment, ensure that all employees have multiple authentication methods, and require verification for every login. RBAC allows you to limit access and permissions to those users who actively need them to do their jobs while restricting access for any user who does not need the same capabilities.
RBAC is a company-wide solution that is designed to protect your most sensitive data. To implement it, you should first establish which users have which needs so that you can clearly define roles. Focus on creating roles that protect your most sensitive data to balance access limitations with efficiency (as important as security is, frustrating your employees too much will not make them any happier about having to change their passwords again). When the most sensitive data is protected, there are other measures you can take to protect more generic, less essential information.
Despite the importance of unique passwords, many users recycle and reuse their passwords across many accounts. This is especially problematic in a business environment where there are often very sensitive customer data, so to protect your business from a data breach, you need to take steps to protect your cloud storage and infrastructure. Implementing zero-trust and RBAC are two of the best ways to reduce the risk to your most sensitive information.