Passwords were once reserved for secret agents and their criminal counterparts. These days, everybody uses passwords. In fact, most of us have too many to keep up with, which is why we often recycle the same ones for multiple purposes. But, only people in positions of power really need to worry about passwords, right?
You may assume that small businesses wouldn’t be at the top of a cybercriminal’s to-do list, but, in fact, the 2021 Data Breach Investigations Report from Verizon found that 46% of security breach victims were small businesses. That same study also found that credentials remain the most sought-after data types. As the report suggests, credentials are often obtained by cybercriminals, and then used “in gaining further access to their chosen victim organization.“
One of the quickest steps you can take to exclude yourself from these statistics is to create strong, sensible passwords. But, like many things, that is easier said than done.
When creating a password, people often gravitate toward words and symbols that are easily recalled. Unfortunately, many of those overlap with millions of other people’s passwords. In 2022, CyberNews.com shared some of the most widely used passwords. These include some of the expected, easily typed passwords like “123456,” “qwerty,” and, you guessed it, “password.”
Other factors that classify a password as weak include personal information like names of family members and pets, birthdays, and addresses. Cybercriminals can easily discover this information through simple web searches, and generate thousands of random password combinations to hack your accounts.
Once they’ve matched a correct password to an account, there’s not a lot stopping them from logging in to all of your other accounts that use the same credentials. For this reason, websites and applications encourage users to choose numbers, special characters, and combinations of upper and lowercase letters to best protect their passwords. These details add exponentially more possibilities for what your passwords can be, thus making them less predictable for hackers.
The consequences of negligence are simply too great for any business to risk. In 2021, the largest compilation of stolen passwords appeared on a popular hacker forum under the name RockYou2021. It contained 8.4 billion entries of passwords. In January 2020, graphic design site Canva revealed that 4 million user accounts containing stolen passwords were shared online in a massive data breach. Adobe faced its own problems in 2015 after a hacker compiled a list containing 150 million usernames and passwords, among other confidential data, including credit card information. Adobe was asked to pay $1.1 million in damages for claims that they violated customer privacy rights. Monetary losses are one thing, but the long-term effects of deleted files and persistent spamming can damage your business even more.
Hackers see your company’s stored data as a treasure trove of profitable opportunity. With access to credit card details, they are able to perform unauthorized transactions that are difficult to trace, leaving the rightful owners no choice but to cut their losses and cancel the cards. They can also choose to sell this personal data to other cybercriminals, or even to advertisers, which puts the rightful owners at major risk of identity theft. Stolen bank account and personal health information can result in daunting cases of blackmail, ransom, and even insurance fraud.
Strong passwords are a group effort. You have to depend not only on yourself, but also on your employees and colleagues, to create and safely store reliable passwords. Prompting them to update their personal passwords on an agreed-upon interval is a good start, and one that could be further supported by installing multi-factor authentication (MFA) and/or a password manager. The problem with enforcing regular, frequent password changes is that employees can become overwhelmed with trying to remember each new password. They then resort to insecure, weak passwords, rather than spending time to create truly unique ones. Focus on quality credentials that are safeguarded with an extra layer of protection like MFA, and you will have already taken a leap forward in your company’s overall privacy policies.