Case Studies

Ensuring the safety of your data and systems – best practice for businesses

data-1590455_1920_1400x875_acf_cropped

Robust data security practices are essential to protect your business’s data and systems. The traditional method of controlling entry to systems using static passwords created by users is no longer considered to be sufficiently secure as hackers develop increasingly clever ways of cracking passwords. These methods are many and varied, and include:

  • phishing emails that collect users’ passwords;
  • intercepting passwords as they are passed across networks;
  • intercepting passwords as they are entered into a device;
  • rainbow tables: Passwords are never saved as plain-text in a website database. When a password is registered on a website, an algorithm produces an encrypted form of it (a ‘hashed’ password) and these cannot be converted back. However, hackers have access to ‘rainbow tables’, which give them the hashed version of many commonly-used passwords, along with their plain-text versions, so these can be used to hack accounts;
  • dictionary attacks: Hackers use an enormous text file containing passwords and compare them to the hashed version of the password to be cracked. If any of the passwords match, then hackers have the plain-text version at their disposal. Hackers can create their own text files using potential passwords based on information they have gleaned about particular targets (important dates, names of pets and family members, favourite football team, etc.);
  • brute-force attack: Every conceivable combination of letters, numbers and symbols is converted into hashed forms and compared with the hashed password to be cracked. It is almost impossible for complex passwords to be cracked using this method because of the time it would take (despite fast processing speeds), but relatively simple passwords can be cracked easily.

Relying solely on static passwords places the onus on users to remember a whole raft of different passwords. The higher the number of passwords users are expected to remember, the more likely they are to forget them and be required to change them after failed log-in attempts. This encourages users to come up with less secure passwords as they run out of options and revert to simpler passwords that are easier to remember. Because password-only access alone is increasingly considered to be insufficiently secure, passwords should be viewed as part of a company’s security front line, to be used in conjunction with other security measures.

Securing your business’s data and systems

The National Cyber Security Centre (NCSC) (a part of GCHQ) recommends the use of multi-factor authentication (MFA) in its password guidance. MFA is a layered defence that makes it more difficult for hackers to gain access to systems – they are faced with at least one additional barrier to entry if a user’s static password is compromised. With MFA, users begin by entering a static password but are also required to enter one or more other pieces of information, which could be a combination of:

  • something only the user knows (e.g. a pin number or a randomly-generated ‘one-time password’ that authenticates users for a single session and can only be accessed through a mobile number or email address registered by users as part of their security protection);
  • something only the user has (a USB stick, a bank card);
  • something that identifies users (e.g. biometric information).

Once MFA is in place, the onus is no longer on users to remember a whole raft of different passwords. Instead, they can set up one longer, and more secure, password that they can use across systems.

Microsoft recommends the use of two-step verification, a form of MFA, for access to its systems (a security measure that is already used across many other systems). When users attempt to log in from an unrecognised device, a security code is sent to their mobile phone or another registered email address and access is only granted once this code has been entered.

What about the companies we work with, what if they have been hacked, what information have my users sent to these companies over email and how can that information be used against us

Microsoft’s security recommendations – password security

Despite the reduced focus on static passwords and the increase in MFA, passwords will still be with us for some time to come. A report from Microsoft about password security for Microsoft users outlines some very useful recommendations for IT administrators to ensure the security of business systems:

  • DO enforce the use of passwords with a minimum length of eight characters. Longer passwords are not necessarily better as users tend to revert to predictable combinations to produce the correct password length.
  • DO NOT enforce the periodic changing of passwords. The more often users are asked to change their passwords, the more likely it is that the passwords will be simplified and easier to crack.
  • DO ensure that users don’t use common passwords (e.g. single words, common phrases or passwords using personal information that could be guessed by people who know a lot about them).
  • DO NOT require the use of certain characters (uppercase, lowercase, digits). Hackers can predict how people use special characters (e.g. capitals at the beginning, numbers at the end), which can help them in their dictionary attacks.

To ensure the security of your data and systems it is essential that you implement adequate security measures. Part of this process entails educating users (e.g. robust password protocols, not opening emails or attachments from unknown sources) as well as ensuring that your business’s systems and software are kept up-to-date with the latest security patches, etc. Office 365 offers a whole host of features and tools that can help you protect your business and data. To find out how our security specialists can help you secure your data and systems, please contact our teams

Our Partners