Password Reuse Poses a Danger to Businesses

Updated 7/11/2018 Over the past few years, companies across all industries have been pounded by data breaches. And although we are only part way through the year, we can safely say that it will be another unprecedented year when it comes to data breaches.

The reality of data breach fatigue

Even as the list of catastrophic data breaches grows, and the numbers of people affected climbs closer to the billions, consumers and businesses alike have hit new levels of “data breach fatigue”. Seeing breach after breach in the news has left us struggling with a sense of weariness and futility. Until a security disaster strikes you or your business, it can be hard to truly appreciate the ramifications of each of these breaches. And with so many breaches happening, it quickly becomes a lot of noise with no added meaning. Nothing bad has happened - yet - so it's far easier to shrug your shoulders, maybe change your password for the affected account, and move on. Unfortunately, that’s no longer enough. When these massive lists of usernames and passwords are leaked on the web, it’s fuel for attackers to hack into other things. They’re looking for the “low-hanging fruit”. And the easiest wins are those of us who fail to use a different password for every account online. All the attackers have to do is try logging in to other websites with the same usernames and passwords they grabbed in the data breach. Because so many people still reuse passwords, it isn’t long before they will hit a match. They’re after accounts for Netflix, Hulu, Amazon, email, banking, medical records. Then they can turn around and sell whatever they’ve found: a credit card number, or an active Netflix account, or even an identity.

The hidden dangers of password reuse

You may be wondering: What does this have to do with my business? At the risk of sounding hyperbolic, it could mean the difference between saving or losing your business. The danger here is that passwords are the first, and in some cases the only, line of defense that businesses have in protecting themselves from attacks. As employees, managers, and business owners, we don’t leave our bad password practices at the door when we go to work. Our poor password security flows into the workplace, too. It’s easier to remember a few passwords rather than fifty, so we use the same passwords at work that we use at home, or use one password at work across all of our tools and services. And even more alarming, a recent survey that LastPass conducted found that more than a third of people create more secure passwords for their personal accounts than their work accounts. So when a seemingly-irrelevant password from a data breach of Yahoo, or MySpace, or LinkedIn, is leaked onto the web, attackers know that many people use those same passwords at work. This is exactly what happened to Dropbox. An employee used the same password on LinkedIn as they did at work to access Dropbox’s corporate network. After the LinkedIn data breach in 2012, hackers were able to use the Dropbox employee’s password to infiltrate the network and eventually steal 60 million Dropbox credentials. One reused password was all it took to jeopardize millions of customer accounts. Now if you’re Dropbox or Yahoo, your business can likely weather the storm and recover. But for the average SMB, a data breach can cause irreparable damage. One study found that as many as 60% of hacked SMBs go out of business within 6 months of the data breach. The loss of income can be significant, particularly without data breach insurance, and the impact on brand reputation can be insurmountable.

Finding a solution that works

Clearly, continuing with the status quo is too risky. And while educating employees about good cyber security and password practices is certainly important, it's not enough. Given the number and scale of the breaches we've seen, businesses need to go back to basics:

1. Change every password. Yes, every one. Unless you have a system in place to accurately measure employee password behavior, you can't guarantee that their passwords are good enough, and that they haven't been affected by data breaches due to password reuse. At this point, it's safer to have a fresh start and change every password for every computer, router, vendor account, server, cloud app - anything you and your employees connect to in the office.
2. Implement a password manager. When left to their own devices, employees will do what comes easiest, and that means less-than-ideal passwords. It's not their fault though that they just want to get into things with minimal interruption to their work. That's where a password manager can help, by enabling them to use a different password for all accounts, without changing their workflow, and with ultimate oversight by the business. Everyone wins.
3. Turn on multi-factor authentication. Multi-factor authentication adds a second layer of security by requiring another piece of information before access is granted. It is key to add two-factor authentication to any service that supports it, whether an internal system or third party app. This strengthens your defenses, so that an attacker will be stopped even if they steal a password. More details on the value of MFA and how to enable it here. 

By taking these basic steps, your business will no longer be an easy target, and attackers are more likely to move on to other, easier victims. Though strong password security is only one piece of a cyber security strategy, it's a piece that is all too often ignored. With strong password security in place, you can feel confident that your business is more prepared and protected going forward.