Criminals always find a way to take advantage of disasters. In the case of COVID-19, there has been a surge in phishing emails and online scams by nefarious individuals and organised gangs who want to steal data.
Now, more than ever, it’s important to set strong passwords and avoid reusing them across multiple accounts. Password managers make this much easier.
A good way to provide an extra level of security above and beyond passwords is to employ multi-factor authentication (MFA). Multi-factor authentication means using something in addition to a username and password to log into an account.
This might be an authenticator app on a mobile phone, or a security key that plugs into a USB port. With MFA switched on, even if criminals somehow manage to get hold of usernames and passwords, they still can’t log in without that ‘second factor’.
MFA offers important benefits.
Firstly, if attackers find they can’t access an account because of MFA, they’re far more likely simply to try another one, rather than spend time and effort attempting to bypass or remove MFA protections. Secondly, the process of implementing MFA can only heighten the security awareness of all users, which is of benefit to everyone, privately and professionally.
The current separation from colleagues and peers leaves people more vulnerable to cyber scams. It’s not possible to just pop across the classroom or office to say, “Did you really send me that email?” or “Does this link look dodgy to you?”.
It’s easy to make a mistake when there isn’t anyone else around to ask for immediate advice or reassurance.
And mistakes can be very costly.
One of the biggest security threats is account takeover. If hackers gain access to an Office 365 account, they can not only exploit it to send and receive malicious emails, which appear to be from a legitimate sender, they can access data and information stored in OneDrive or SharePoint as well.
It’s like being handed the keys to the kingdom. Boom! Financial and reputational damage could loom large.
Which accounts are being targeted?
There’s a common misconception that hackers are only interested in ‘high-value’ accounts, belonging to, for example, chief executives and finance directors, or, as has been recently reported, researchers working on COVID-19.
Such people are indeed targeted with individualised attacks, but most of us are far more likely to be victims of automated attacks carried out on an industrial scale. Methods like password spraying and credential stuffing employ many thousands of account details obtained via data breaches and traded online. Thinking ”no-one’s going to be interested in my account” is a dangerous assumption. Free tools like Have I Been Pwned allow searches across multiple data breaches to see if email addresses have been compromised.
Convenience vs security
For too long convenience has been prioritised over security, such as being able to log in with just a password from anywhere at any time.
The fundamental problems with passwords are that most people are not very good at choosing strong ones, and tend to reuse passwords rather than setting a different one for every account.
Reusing a password, or choosing a weak password, or not spotting a phishing email, all put users at risk. But once MFA is set up, there's a safety net. That’s not to say it’s infallible - MFA can be busted too - but it takes extra time and effort to do so, and in many cases criminals simply won’t bother.
If people pick their own passwords rather than using a password manager to set and store strong passwords for them, the result is usually a weak password. It is - unbelievably - true that the most popular password of 2019 was 123456 and ‘password’ appears at number four.
Cyber criminals use this complacency to launch automated attacks against hundreds of thousands of accounts using lists of commonly used passwords – a method called password spraying.
The success rate might be low - perhaps less than one percent - but if they target 100,000 accounts that's still plenty of compromised accounts.
Credential stuffing uses the premise that people often use the same password for multiple accounts. Passwords that have been stolen from one data breach are reused to try to access other platforms. In these instances, having a super-strong password is useless.
Things to remember
So, the lesson is clear – use a separate, strong password for every account and turn on MFA wherever it’s possible to do so, whether for work-based or personal accounts, or apps like Amazon and WhatsApp, which offer MFA as an option.
When introducing the idea to staff or students, my advice is to start with the why.
It’s not enough to tell users what to do – it’s important to inspire them to change their behaviours by demonstrating the impact and value of that change. Point out, for example, that the authenticator app will also work for ‘home’ accounts like Amazon. That’s a bonus.