But is saying goodbye to passwords the right path for you today?
by Mackenzie Fribance
What data is the main target of attackers? What fetches the most money on the dark web? What is the weakest link in cybersecurity for your organization?
Passwords – and more precisely, Active Directory passwords!
According to a study by Exabeam, 95% of organizations use Active Directory. It serves a core function of managing usernames, passwords, and provisioning for a range of corporate systems like Windows desktops, servers, e-mail, shared folders, SharePoint, and applications. If your company is using Windows and you use a password to access your computer, the time to fortify passwords is now. Dreaming of the passwordless future is no excuse for failing to fortify the passwords your organization is using today.
People are creatures of habit. Password reuse and other common password practices have proven that corporate passwords are a high risk for any organization. Why? Because people prefer convenience over security. And hackers have become adept at exploiting predictable human behavior to access corporate networks. The struggle for most organizations is finding a cost-effective way to improve password security without negatively impacting the user experience.
We may not think about credentials being the greatest threat. In the news, we see headlines about malware and ransomware attacks that paralyze organizations and demand large sums of money. The common thread here, however, is that weak or stolen credentials are usually at the root of the attack. For years, the annual Verizon DBIR has consistently reported, in one of the most thorough evaluations of data breaches each year, that over 80% of data breaches are related to hackers accessing corporate systems by using passwords that have been exploited for criminal gain.
Kaspersky made it plain and simple in their assessment:
“The vast majority of data breaches are caused by stolen or weak credentials. If malicious criminals have your username and password combination, they have an open door into your network.”
So, we need to close that door and use a better lock. But how?
Some people are trying to sell you on eliminating the password. They suggest that will solve all your identity problems. But what they propose is a long and difficult implementation. It takes time, training, and money. These solutions make claims of reduced friction but ultimately, they come with a new set of processes, limitations, and frustrations for users. And these solutions require everyone involved to make substantial changes in behavior and processes.
Device and token-based authenticators are no silver bullet in identity and access management. Is throwing more solutions at the problem and increasing your reliance on “stuff” which will not solve your problem for good the right thing to do? We have learned from Roger Grimes and others at KnowBe4 that many of these solutions are susceptible to attacks too.
These solutions are insufficient. Doing nothing is negligent. Active Directory does not have any functionality to identify password reuse or breached passwords. Good password policies, as administered by a Group Policy Object (GPO) in Active Directory can help but these policies are also frequently misunderstood. Many companies are still enforcing frequent password changes even though NIST, Microsoft and others have shown that this type of password rotation has contributed to the problem of weak passwords.
There are so many voices and competing products in the market, frequently contradicting one another, that it can be hard to figure out the right path. Do not become enamored by the so-called passwordless future. Its arrival has been prematurely called upon before. Companies have made substantial expenditures in their current stack and there is a real need to maximize the ROI on past IT investments. Furthermore, employee productivity and the user experience are important considerations for any organization. Lengthy implementations and training programs for IT Administrators, IT Support, HR, and employees are major considerations. IT staff are typically stretched to the max and better solutions that do not absorb already thin resources are needed. HR leaders are continually challenged to support organizations achievement of a high level of employee engagement. They will argue that many security technologies come with cumbersome processes that frequently undermine employee satisfaction because they negatively impact users. Employee frustration will lead to lower productivity, wasted time and disengagement – all ultimately contributing to reduced revenue and profits. And all along that implementation path, friction will grow within an organization as IT tells employees they are the weakest link in the fight against cybercrime.
The weakest link is NOT employees; it is failure to fortify passwords before they reach Active Directory. This failure is especially stark when, for less than a dime a day, organizations can fortify passwords without making any changes whatsoever to the login process used by employees. Password fortification can be achieved passively, meaning there is zero training required. In fact, the unique behavior of each employee, when combined with their password, becomes a source of cyber resilience and strength. Companies that harness the unique typing behavior of their employees to gate or spot potentially nefarious login attempts are stopping potential hacking threats every day. They are ingesting behavioral authentication logs into security and risk systems to alert when credentials have been breached and to automate IT Security actions within their existing policies.
Implementation is as easy as pushing out a Windows update that runs in the background and is invisible to users. There is no user training required. And behaviorally fortified passwords deliver ongoing management and operations benefits too. With behaviorally fortified passwords, companies of all sizes are eliminating arbitrary password changes and reducing IT help desk support costs associated with lockouts and password resets, while delighting their users with the absence of this outdated ritual.
Using TickStream behavioral password fortification enables quick visibility into stolen, misused, shared, or breached passwords and slashes your risk from cybercriminals intent on planting malware, ransomware, or mining company secrets.
Learn more about TickStream for Windows here.