Australian businesses are being urged to enhance their cyber security efforts, with the Australian Cyber Security Centre (ACSC) warning of an increased risk of cyberattacks. There are many mitigation strategies organisations can adopt to battle cybercrime — but employees can also assist by keeping their passwords secure. RBC Group’s Chief Technology Officer and Systems Specialist, Scott Holzberger, runs us through some simple password strategies to help keep the hackers at bay.
Cybercriminals at work
For cybercriminals, cracking user passwords has become easier than ever. “Since COVID-19, there’s been a sharp increase in remote work environments and online communication. What used to be in-person communication has become text messages, emails and phone calls, making it harder to keep tabs on security,” says Scott. “We’ve seen a surge in social engineering attacks, where cybercriminals try to trick users into revealing their password or sensitive information. This means they don’t have to worry about an organisation’s account lockout policies because they are getting the inside track. “You should never reveal your password or answer security-type questions, like revealing your mother’s maiden name or your date of birth, to anyone.”
Have a strong password policy — and stick to it
Organisations need to have a strong password policy but it’s even more important to enforce it. “A strong password policy starts from the top down. I’ve known of organisations that have great policies in place but also have leaders that don’t follow their own policies,” explains Scott. “Your password policy is only as strong as your weakest link, so if you don’t follow it, how can you enforce it on anyone else?” And once you do have a strong policy in place, make sure each and every team member knows and understands what it is.
Change it up
Most people use the same password across all their digital logins, from internet banking to Netflix accounts and work devices. And it’s risky, given this password — if compromised — could give cybercriminals access to every account, on every device you own or use. And you might not even realise it. “If your password is compromised, attackers may not act immediately,” warns Scott. “They may hold onto the access for months or even years, monitoring your communications and information to build up a profile on you. “Eventually, they’ll be able to open up bank accounts, apply for passport renewals, or on-sell your information, by using this behind-the-scenes approach. Then when they decide to hit, they’ll drain your bank account and run up your credit cards.” Be sure to use different passwords across your accounts and reset them often.
Enable two-factor authentication… now
The most effective way to stop your accounts from being compromised is to enable two-factor authentication or 2FA. 2FA requires an extra layer of security, like using an authentication app or text message to your mobile device, to access accounts. “So, unless they’ve got your mobile device as well, they won’t be able to use a cracked password to log in,” says Scott. “You can’t do a bank transfer without using 2FA, so if it’s good enough to transfer $20 to your mum, why would you not have it securing your systems?”
Passphrases over passwords
“Computing power has come such a long way, that these days a cybercriminal only needs a $2,000 machine to be able to crack a 12 character password in about six days. That’s why we say don’t choose a password, choose a passphrase instead,” advises Scott. “We would usually recommend using passphrases that include upper and lower case letters, special characters and punctuation, that can have different numbers added to the end as updates. “It can be a favourite saying or a memorable sentence, then each time you change your passphrase, change a character. This way, it becomes much more difficult to crack.”
Review your security regularly
Run through security permissions for your accounts regularly to ensure only authorised people have access. “If people are going away for an extended period, remove their permissions for everything,” says Scott. “So any sensitive data or applications aren’t at risk of being accessed until the staff member returns.”
“Taking a proactive approach to what people have access to and how they are accessing it is essential.”
Security Awareness Training
Staff can undertake specialist security training to help prevent cyberattacks. RBC Group, powered by Ducentis, offers an easy, ongoing training program that is proven to significantly reduce the risk of security breaches.
We do this through phishing simulations — based on real-world attacks — and training that covers relevant security and compliance topics.