One statistic that stood out on the most recent IBM Security Cost of a Data Breach Report was connected to credential theft. Compromised usernames and passwords are now the #1 cause of data breaches, and account for 20% of them globally.
Securing passwords, especially those connected to email accounts, continues to be a challenge for many businesses. Passwords are often left up to the user, making it one of the more risk-prone areas of a cybersecurity strategy.
With so many passwords to deal with, people often fall into password habits that leave companies at risk of a breach. These include things like:
- Reusing passwords across multiple accounts
- Using weak passwords
- Sharing passwords
- Storing and sending passwords in an unsecured manner
51% of people use the same passwords for personal and work accounts.
It’s critical to address password security for business email, and implement two-factor authentication (2FA) on accounts that include email and other applications (e.g., Google Workspace, Microsoft 365, etc.), and here’s why.
Email Breach Can Lead to Multiple Phishing Attacks
Email accounts are a high-value target among hackers. One breach of a user email account can lead to multiple other attacks by using that account to send out phishing emails.
When phishing is sent from a legitimate address, it has a much higher chance of fooling the recipient. People will see a familiar email address and default to trusting the message, rather than being suspicious as they should be when receiving a message from an unknown sender.
Gaining access to a business email account provides the ultimate phishing tool for this reason. Hackers can also perpetrate more lucrative attacks due to the trust already attached to the user email domain they’ve compromised.
Convincing and targeted phishing attacks can be sent from a compromised address to:
- Employees in the same company
- Customers of the company
- Vendors that do business with the company
Business Email Compromise Is Becoming Lucrative for Hackers
Business email compromise (BEC) is becoming more lucrative, even more so than ransomware, which has caused incidents to rise. Underground criminal groups and state-sponsored hackers are in this to make large sums of money, so the attacks that make them the most grow in volume.
71% of organizations experienced BEC attacks within the past year.
When a legitimate email address is compromised the phishing scams sent from that address often involve money. This can include things like messages such as:
- Requests for employees to purchase gift cards for customer gifts and send the numbers
- Requests to update payment or wire details and send sensitive information
- Fake wire transfer details requesting payment on an invoice
In one reported incident of a rather large phishing score, a company sent a wire transfer for $60 million to a scammer that had used BEC to fool them.
Recommendations for Securing Your Business Email Accounts
Implement Two-Factor Authentication
Two-factor authentication (also known as multi-factor authentication) is one of the best ways to keep accounts secure.
All-in-one platforms like Microsoft 365 and Google Workspace, will often be protected by a single password. If a hacker gets in, they not only have access to your cloud data but also a company email account.
2FA adds an important second step to account verification. One that hackers typically can’t get past. It usually involves a time-sensitive, one-time passcode being sent to a registered user device. The code must be entered after the username and password to complete the login.
According to Microsoft, 2FA is 99.9% effective at stopping fraudulent account sign-in attempts. It’s a vital part of any good cloud and email security strategy.
If users are afraid that 2FA will slow them down, there are many single sign-on (SSO) solutions that can be used to improve the account access experience and make it convenient for users, as well as secure.
Teach Users Good Password Security Habits
Using a weak password is like using a spaghetti noodle on your front door as a lock. Employees often need guidance to ensure they’re creating strong passwords that are difficult to breach.
Some requirements for strong password security for email accounts and other cloud accounts include:
- Making the password length at least 10 characters
- Using both upper and lower-case letters
- Using a combination of letters, numbers, and special characters
- Not using anything personal, like a birthdate or dog’s name
How passwords are stored and transmitted is also important. For example, passwords should never be sent via an unencrypted email or message.
Employees also should not store passwords in unprotected Word or Excel documents or their contacts application. One of the best places to securely store passwords is in a password management app.
Get Help With Effective Password Management Solutions
Connect2Geek can help your Treasure Valley area business with access management solutions that keep your email accounts secure and are convenient for your users.
Schedule your free consultation to learn more today! Call 208-468-4323 or reach out online.