How to Combat the Serious Rise in Credential Theft

How to Combat the Serious Rise in Credential Theft

One of the rising cybersecurity threats seen over the last year is credential theft. If a hacker has a legitimate username and password, they’re able to get past all types of security protocols and gain access to company data.

The fact that many companies are now storing their data in cloud services like Microsoft 365 or storage accounts like Dropbox, also make those stolen credentials all the more important. One user login can give a criminal access to sensitive company data, other user accounts, and the ability to take over a company email account. 

Login credentials were the #1 type of data compromised in phishing breaches last year.

Hackers get their hands on login credentials in a few different ways. One is to use phishing emails that send users to fake login pages designed to steal their username and password.

Another is by purchasing large databases of passwords on the Dark Web from major data breaches that sometimes score a criminal millions of user login credentials.

A third method is to use phishing to plant a password dumper malware into a company’s network. This type of malware seeks out databases with user logins to steal and send back to the hacker. This type of malware has now risen above ransomware to become the main type used in data breaches.

Users often make it too easy for hackers to gain access by reusing passwords across accounts. Approximately 65% of people reuse the same login for different accounts, both personal and work. 

This makes it easier for hackers because if they have just one stolen login credential for a person, it can potentially unlock multiple accounts.

Ways to Protect Your Business from Breaches Due to Compromised Credentials

Combating credential compromise can be challenging because users tend to make it easy for hackers by adopting poor password habits. But even a strong password can be compromised in the case of a stolen database of user logins.

That’s why protecting your business from account takeovers requires a multi-layered approach, employing several different safeguards. 

Email Spam Filtering

Phishing emails remain the top cause of all types of data breaches. They can both trick users into giving up credentials and cause users to accidentally plant malware that steals credentials.

Controlling phishing with good network security, including email spam filtering, helps reduce your risk of credential theft and other types of breaches by keeping phishing emails out of user inboxes.

Advanced Antivirus/Anti-malware

Password dumpers and other cyberthreats are becoming more sophisticated all the time, so you need to have an advanced, AI-powered antivirus/anti-malware program. These are designed to detect the unusual behavior that’s a sign of malware, which allows them to keep out even new zero-day threats.

Multi-Factor Authentication (MFA)

The best defense against having an account hacked if the login has already been compromised is by enabling MFA on all your user accounts. This adds another step to the login process that most hackers can’t get past.

When MFA is enabled, the login process goes like this:

  • Enter username/password
  • Click to receive MFA code
  • Code is sent to a user device (smartphone, etc.)
  • The code has to be entered, usually in 5-10 minutes, to complete the login

MFA blocks about 99.9% of all fraudulent sign-in attempts on your accounts.

Conduct Ongoing User Security Awareness Training

Since your users are generally the main target in phishing scams trying to steal login credentials, they need to be trained regularly on security awareness.

A one-time training is not enough, because threats are always changing and users need to know the types of phishing emails to look out for, as well as hone their skills.

Some of the items to include in your user IT security awareness training include:

  • Password security
  • How to spot a phishing email (hovering over links, etc.)
  • What to do if they think an email may be phishing
  • Other forms of phishing (social phishing, text, etc.)
  • Newest types of phishing being used (coronavirus themed, etc.)

It’s also good to conduct simulated phishing drills to help users develop phishing identification skills.

Force Strong Passwords in Your Accounts

Even if you teach good password practices, you can’t always rely on users to adopt them or not get lazy when creating new passwords. That’s why it’s a good safety net to force strong passwords in your business accounts.

Cloud services like Microsoft 365 allow you to set password requirements in the administrative area that will reject passwords that are too weak. 

Require things like a combination of upper and lower-case letters, at least one number and symbol, and a minimum of 10 characters to help ensure users are creating strong passwords.

Get Help Protecting Your Sudbury Business from Credential Theft

Haxxess can help your business put the necessary safeguards in place to secure your user login credentials and keep hackers from taking over your accounts.

Contact us today to schedule a free consultation! Call 705-222-8324 or reach out online.

stay in touch

Subscribe to our newsletter and we'll keep you informed about latest IT news.