Cyberattacks incur high costs that can bankrupt small and medium-sized enterprises (SMEs). A study by Forsa on behalf of the German Insurance Association (GDV) shows that: On average, one in four companies in the manufacturing sector has already fallen victim to a successful hacker attack – with financial losses amounting to at least five figures.
Many SMEs have taken advantage of the pandemic to review their security measures. In many places, however, their protection is still inadequate – on the contrary: according to a study conducted by IDC on behalf of LastPass, the home office trend has compromised security in almost all companies (98 percent) – primarily through unsecured mobile devices and careless password behavior. Cybercriminals are aware of these vulnerabilities and are increasingly targeting the midmarket.
The coronavirus has triggered a “digital pandemic”: cyberattacks are now piling up on large and small targets alike. And while the world is moving toward a post-COVID future, there is not the slightest reason to relax in the security arena. In fact, attacks on mid-sized businesses have increased since Corona, in part due to the challenge of managing an ever-increasing number of remote workers. To protect their data, therefore, companies can no longer rely solely on pre-pandemic protocols, policies, and infrastructure.
Poor Password Hygiene
The spectrum of attacks has also expanded in the pandemic. While some hackers are launching increasingly sophisticated attacks to outsmart security experts, others are relying on hitting unprepared targets with simple and proven methods.
Social engineering attacks, in particular, have increased. According to the LastPass study, 83 percent of organizations have already experienced security incidents resulting from compromised passwords or phishing. In many places, protective measures on private networks are not enough.
However, a major threat is also posed by the company’s own employees, who access company data and applications with insufficiently secured devices or do not take the handling of passwords seriously enough. Fatal developments, which the Infosec Institute describes as follows: “The attacker doesn’t hack in. He logs in – with your log-in data.”
Carelessness with passwords is an ongoing problem – not only in the private sphere but also at work. That’s because employees have a hard time remembering the 50-plus passwords they often need to do their jobs, so they use the same passwords for multiple accounts. In a 2019 Google survey, 65 percent of participants said they use passwords more than once. By doing so, they open the door to hackers and put the entire company at risk.
This is especially true for SMBs: according to the LastPass study, employees at 32 percent of smaller companies struggle with too many passwords. Actually, everyone knows that a secure password is at least 16 characters long and contains a mix of upper and lowercase letters, as well as numbers and symbols. But there is a big gap between awareness and action.
Credentials from The Dark Web
To make matters worse, there are an increasing number of password marketplaces on the dark web where cybercriminals can buy lists of usernames and passwords. They then use these lists for automated login attempts to services such as Microsoft 365 or Google, which are becoming increasingly common due to the remote work trend.
Once the hackers have successfully targeted a destination using this so-called “spray and pray” approach, they can easily access the respective accounts – and often without leaving any traces. It, therefore, makes sense to set up a monitoring service for the Dark Web. But above all, it is important to put a stop to the multiple uses of passwords.
However, finger-pointing is out of place. Today’s office workers need to access various tools and systems. At the same time, they are expected to get their work done quickly and efficiently. They can’t also manage dozens of credentials. It’s therefore important that companies deploy the right identity and access management solutions – such as a password manager. This can be used to create and store secure passwords.
And when users return to a website, the appropriate credentials are automatically entered. With easy-to-use collaboration tools and a password manager, companies can promote the secure storage of credentials and responsible password use.
Prevention Is Better than Cure
According to a study by the BSI, 26 percent of companies describe the damage they have suffered as a result of a cyber attack as “very serious” or even “threatening to their existence”. Attacks not only cause high costs, but they can also impair day-to-day business and damage the company’s reputation. More and more security managers are therefore giving high priority to investments in cybersecurity.
According to the BSI, 81 percent of companies want to train their employees regularly in security matters. Priority is also given to measures relevant to the security of remote employees – including VPN (66 percent of mentions), encryption of data media (65 percent), multi-factor authentication (52 percent), network segmentation (51 percent), and mobile device management (38 percent). Practicing how to respond to a potential attack on a regular basis was cited by 24 percent.
However, given the ease with which hackers can exploit password carelessness, one finding from the study is concerning: nearly one-third of companies said a small business does not need solutions such as single sign-on (SSO) and multi-factor authentication (MFA). Proven, no company is too small to become a target for cybercriminals. All companies, even small businesses, need strong password and access protection.
Single sign-on (SSO) allows employees to log in with one set of login credentials based on their identity and permissions. So they don’t have to remember multiple strong passwords. It also gives IT administrators visibility into which users have access to which applications and can approve or revoke them as needed. With MFA, a special app generates a code that is sent to the user’s smartphone. This can be used to prove that the right person is logging in. Any unauthorized access is prevented in real-time.
Today’s hackers know how to exploit potential security vulnerabilities in a remote infrastructure. They are experts at finding existing vulnerabilities in any security strategy. However, the biggest threat to a company’s security is its own employees: 85 percent of security breaches are due to human error. A secure infrastructure thus plays only a subordinate role. Instead, companies must make it easy for their employees to behave securely without their work suffering. It is therefore also important for SMEs to educate their employees about the correct use of passwords as well as SSO and MFA.
Above all, introducing a password manager is an easy-to-implement, user-friendly, and highly effective measure. It gives employees access to the tools they need to do their jobs. At the same time, they play a key role in defending against potential attackers. According to IDC analysts, 45 percent of companies use a password manager or an EPM (enterprise password management) solution. Another 45 percent would also like to use SSO and MFA, but they lack the budget for a more complex identity solution.
Not every small company can afford its own security expert. But there are professional consultants who can help. Don Macintyre, interim CEO of the UK Cyber Security Council puts it succinctly, “A single conversation with a security expert and a few simple measures is all it takes. This will allow any business to protect itself and its customers and get back to full business focus.”
The new working models also offer many advantages for SMEs by increasing their flexibility and agility. However, without the right identity and access controls, the growing security risks cannot be managed. What is needed are comprehensive and user-friendly solutions that enable employees to do their work securely from any location – regardless of the size of the company.