The average corporate user has about 20 sets of login credentials—the usernames and passwords that we use to gain access to things like email, document repositories, social media accounts, instant messaging tools and other corporate systems. Plus, we have a number of login credentials for personal accounts of various types, as well.
Cyber criminals want access to these login credentials for a number of reasons:
- Your corporate email account contains information about your business, communications with clients, your contacts database, invoices, purchase orders, banking details and various types of sensitive and confidential information. Much of this is valuable to a cyber criminal who is looking to steal your company’s data or finances. For example, a cyber criminal who gains access to your corporate email system can search for unpaid invoices sent by your company, and then contact the recipient to offer more favorable terms for quick payment to an alternate recipient—the cyber criminal himself.
- Your email contact database is also a valuable source of new potential victims for purposes like phishing attacks. The cyber criminal knows your contact list is valid, since you’ve taken the trouble to create and maintain this database.
- Your social media accounts are also valuable to a cyber criminal, since they can be used to set up a bogus account in your name and lure your friends into clicking on posts for the purpose of spreading malware or other malicious content.
- Login credentials are also valuable because cyber criminals know that most users employ the same passwords to access multiple systems. Remembering lots of usernames and passwords is difficult, so most of us take shortcuts by reusing passwords. Consequently, if a cyber criminal can gain access to just one of your accounts, they very often have the keys to open most or all of your other ones, as well.
So, what can you do to help protect yourself and employees?
1. Use “out-of-band” authentication
As a non-IT end user, you might not have many opportunities to determine what type of authentication you use to access a system. However, in those cases where you do have the choice, it’s wise to use what’s called “out-of-band” authentication. This method of accessing a system requires you to enter a username and password, followed by the system sending a code to another device—typically your smartphone—for you to enter as a second password. This type of authentication, used on a large number of systems (e.g., Dropbox) is much more secure, because a cyber criminal (with rare exceptions) would need access not only to your login credentials, but also to your smartphone.
2. Change your passwords frequently
It’s always a good idea to change your passwords on a regular basis—maybe every month to three months, depending on how sensitive the system is that you’re accessing. Yes, it’s a pain, but it can reduce your chance of being victimized.
3. Use strong passwords
You might be amazed at the large number of people who use “123456” or “password” for their password (unless, of course, you’re one who does so and then you might not be amazed.) While it’s logical to use such an easy-to-remember password, keep in mind that a password easy for you to remember is easy for a cyber criminal or an automated password cracker to guess. Instead, use “strong” passwords—something like “Um86)J-bc”—that will be much more difficult and time-consuming to guess.
4. Don’t reuse passwords
It’s essential not to use a password on more than one system. Here again, it’s a pain to remember a different password for every system you need to access, but not reusing them reduces the opportunity for cyber criminals who might be able to break into one of your systems.
5. Use a password manager
Finally, if your IT department allows you to do so, it makes sense to use a password manager that will securely remember all of your passwords. You will still need to remember the password for the management software, but since you’ll need to remember only one you can make it a strong password that will be difficult for a cyber criminal to guess.
By taking some simple steps, you can dramatically increase your company’s and your personal security.