The three most important elements of cyber hygiene in the age of hybrid work
Network users often expose themselves to attacks of cybercriminals, e.g. by using the same password across multiple sites. In this case, if one account is successfully hacked, the rest is at risk. In order to prevent this, it is crucial to implement proper practices and precautions, i.e., the so-called “security measures”. cyberhacking. Tools in the category of password managers or multicomponent authentication mechanisms provide help here. Best practices are discussed by Aamir Lakhani and Jonas Walker – experts from Fortinet’s FortiGuard Labs.
Why using a single password is a threat to cybersecurity?
Jonas Walker: This is a very important issue because there are still many people who use one password or slightly different variations of it for different accounts. When, for example. if you put a “2” at the end instead of a “1” because of a requirement to update, then the password remains essentially the same. It is not unique, and in my opinion, this is a big problem because reusable passwords make it easy for cybercriminals. A hint for them is also the layout of the keys on the keyboard. If a site requires a password with a special character or number, most likely that special character will be an exclamation mark because it is on a key with the number 1. This is the logic that users usually follow, and cybercriminals are well aware of this. The popularity of password patterns and machine learning (ML) mechanisms make it easier for them to determine which structures are most commonly used.
Aamir Lakhani: There are millions of old passwords that have leaked out but are still used by users. Sometimes they just change a digit, add or remove a letter. Cybercriminals have programs that look for these common substitutions. They create lists of passwords, from which they can generate millions of new ones, with different combinations. They then test them automatically until they hit on the correct one. That’s why I always encourage the use of unique usernames on each site. Some of them require it to be an email address, but it is best to set up a new one each time for this purpose.
How to secure passwords and usernames in a hybrid work environment?
Jonas Walker: I recommend using password managers. This tool makes data protection very easy. Every time we register with another platform, it will automatically generate a new, unique password and store it in its forms.
Aamir Lakhani: It is also important to remember that multi-component authentication can give a false sense of security. Many people use text or SMS verification, but this solution has weaknesses. This is where cyber hygiene is especially important. Often when cell phone operating systems pop up windows asking “Do you want to share the data sent in SMS messages with this application” or “Are these the permissions you want to give to applications”, not everyone reads their content. It is usually careless to click “yes”, so that applications receive more data than the user would like. These powers are used e.g. for advertising purposes. In turn, malicious applications force access to SMS messages in this way to steal codes sent during the multi-factor authentication process. Therefore, it is important to be aware of what permissions you give to applications.
How best to take care of your company’s cyber hygiene in the age of hybrid work?
Jonas Walker: Connecting devices used for remote work to the corporate network should be done with great care. Note that in recent months, home networks have often been attacked because of remote work. If the security of software installed on mobile hardware has been breached, then connecting it later to the corporate network can bring a serious threat. Cybercriminals anticipate such scenarios in advance, so I’m confident they are prepared for this type of attack. Meanwhile, more and more private devices are gaining access to the corporate network, so educating employees and providing them with training is essential.
Aamir Lakhani: I agree that training employees and raising awareness about digital threats is key to a company’s cyber security. Knowing how to filter incoming emails can be a really simple way to avoid phishing attacks, which still happen frequently. I also recommend having two email boxes – one for internal messages and one for external ones. It is also useful to use digital signatures to identify the trustworthiness of digital correspondence.