Cyber criminals are using evermore ingenious and cunning ways to infiltrate systems, so greater vigilance is needed in these challenging times. Even dustbins and recycling provide sources of information to hackers, as a recent Telegraph report in July 20201 demonstrated. Therefore shredding confidential documents, keeping desks clear and tidy and disposing of waste bin contents carefully, is important lest they inadvertently provide confidential information, such as password details.
Passwords are here to stay
Although data management access and authentication methods, such as biometric identification, are continually evolving, the use of passwords is not going to stop anytime soon. An estimated 300 billion passwords2 will still exist by 2020, making proper password management still of vital importance for businesses of all sizes, especially those in the healthcare sector with sensitive and valuable data to protect.
There are numerous ways that hackers will try and get hold of login information, from ‘brute force’, using a computer programme, to methods such as ‘credential stuffing’, ‘social engineering’, ‘password spraying’, ‘traffic interception’ and ‘rainbow table attacks’. You don’t need to understand all the jargon or even how all of these work, but suffice to say the importance of good passwords cannot be emphasised too strongly. Cyber security experts CR-T.com3 state that 80% of hacking breaches involve stolen passwords or credentials.
Strong password use is a basic cybersecurity requirement
According to a Bloomberg Business story, a cyber-criminal can crack a six-character password that has all lowercase letters in just 10 minutes. Yet one with 8 characters including just one capital letter, would take 200 years to crack. The 2017 Verizon Data Breach Investigations Report (DBIR)4, found that 81% of hacking-related breaches used either stolen passwords and/or weak or guessable passwords. According to numerous reports, the use of the word ‘Password’ was the second most popular password among adults in 2019. Cyber Aware5 advise that passwords should be at least 8 characters and contain a combination of numbers, symbols and upper and lower case letters. They suggest creating passwords using three random words put together like ‘coffeesinkshelf’ or ‘bedflowershirt’. Choose words that are memorable but should avoid those which might be easy to guess, such as ‘onetwothree’ or are closely related to you personally, such as the names of family members, dates of birth or pets.
Guess one – get one free!
Cyber watchdog, Security Ventures advise not to use the same password across multiple sites (the average is 5 passwords shared across all accounts according to their recent report6). If hackers gain access to one account, they may be able to glean information allowing them to access other user accounts. Hackers also sell lists of stolen passwords to each other, which can result in widespread malicious activity and increase breach risk across networks.
Do not share passwords, re-use them, or write them down. Remember passwords can only go so far in terms of protection and they also rely on how your staff implement them.
Most cyber security firms recommend Multifactor Authentication (MA) and multi-step authentication as useful tools in your arsenal. Password managers provide another option to store passwords, using a single master password to access and store all credentials, a lot of password managers can pre-populate credentials into applications securely, thus removing the need to write things down. Another useful way to remember passwords is to create a password from a phrase- so for example “I want to cure the common cold by 2015” becomes “Iw2ctccb2015”
The NCSC7 guidelines suggest some simple steps which can help to reduce the chances of getting hacked:
- Do not use your network username as your password
- Do not use easily guessed passwords
- Do not share them or write them down
- Avoid common everyday words. Randomise them
- Avoid patterns like a word followed by 3 numbers
- Do not choose passwords that are personally identifiable
- Do not just use words- add in mixed cases, numbers and symbols
- Passwords should be vetted against a list of common/ weak passwords
- Increasing the minimum password length (more than 8) and optional complexity
- Utilise other factors to secure passwords such as MFA
- Change passwords regularly
- Do not reuse passwords from other sites- especially social media
Patient data records and any sensitive data access must have their passwords changed routinely and follow best password management practices.
There are several password management tools available online which can securely store passwords and provide password strength analysis. Self-service password reset tools can help secure passwords across multiple systems. There are free versions of Single Sign-On software that are quick and easy to download, just compare what’s available from different software companies. It is also useful to keep a record to Blacklisting offending IP addresses.
For more information on password security go to https://www.ncsc.gov.uk/collection/passwords
- Telegraph https://www.telegraph.co.uk/technology/2020/07/22/chinese-hackers-pillaged-computers-recycling-bins-steal-secrets
- Ponemon Institute survey https://www.logonbox.com
- CR-T.com https://cr-t.com/
- The 2017 Verizon Data Breach Investigations Report (DBIR) https://enterprise.verizon.com/
- Cyber aware https://www.ncsc.gov.uk/cyberaware/home
- Analyst firm Security Ventures https://cybersecurityventures.com/
- NCSC Guidelines https://www.ncsc.gov.uk/cyberessentials/overview