Grant Patten, Digital Media & UX Specialist | BC Broker, April 2017
63% of confirmed data breaches involved weak, stolen or commonly used default passwords, according to Verizon’s 2016 Data Breach Investigations Report. Establishing password security guidelines should be one of the first steps that brokerages undertake in developing their cybersecurity strategy. By doing so, brokerages could immediately benefit from increased protection against more than half of attempted data breaches. In fact, an IBABC member was once hacked because of poor “password hygiene,” proving that even technologically advanced brokerages are susceptible to cyber risks, especially ones that are human-controlled – such as passwords.
Password strength & storage
For any brokerage, a sound password protection and management program should consist of rules and policies governing how passwords are created, stored and changed in order to ensure that they remain a secure and reliable means of authenticating identity and controlling access. A security risk occurs when brokerages are not diligent about enforcing the use of sufficiently strong passwords for access to their business systems, increasing their vulnerability to security breaches by potential hackers.
The well-publicized cyber attack on Ashley Madison in 2015 is just one example of the damage that can be caused by weak passwords. More than 11.2 million of the hacked passwords in this incident were common and overly simplistic, such as “123456”, “password”, “DEFAULT”, and “qwerty”. In contrast, roughly 3.7 million Ashley Madison accounts remained secure, likely because they had strong passwords or passphrases with long strings of upper- and lower-case letters, numbers and symbols.
Brokers should consider implementing a company-wide practice to require a unique, strong password for each user of each system. A common objection to this type of policy is that such strong passwords are difficult to create and remember, and some employees resort to writing such passwords on a Post-It note stuck to their monitor, undermining the very security the password was meant to provide. There is a better solution, which is to create a unique, memorable passphrase (e.g., “MyPassw0rdIsStrong!” or “ThisIsaStrongPassword”) instead of random letters, symbols and numbers. This type of passphrase tends to be harder to crack than passwords and is much easier to remember.
For a quick way to determine the security of your password, enter it in the website www.howsecureismypassword.net. This password assessment tool – developed by an independent IT security analyst – tells you that a password such as “1234” would be cracked instantly by any novice hacker. On the other hand, a passphrase such as the aforementioned “ThisIsaStrongPassword” would take a computer 861 quadrillion years to crack.
Standard user accounts should require a password length of at least 8 characters, while administration accounts with more access to the system should require at least 14 characters. Also note that passwords should never be shared among users.
What are best practices regarding password storage? Password management software can be useful for tracking usernames and passwords to multiple accounts, but one must follow best practices in the use of such software. For example, this software often uses a master password, which must be particularly strong and should be changed on a regular basis. Industry leaders in the password management software space include Dashlane, LastPass, Zoho Vault and RoboForm.
Especially while traveling on business, it is sometimes tempting for employees to connect to Wi-Fi hotspots. But entering password credentials into any website while using public Wi-Fi can result in that password being intercepted.
A study by Kaspersky Lab in 2016 found that out of more than 31 million Wi-Fi hotspots around the world, 28% are unsecured and pose a risk to users’ data. If your staff engages in business travel often, consider investing in a Virtual Private Network (VPN), which would provide a layer of encryption to prevent theft of password credentials when using Wi-Fi.
How often should passwords be changed? Common practice holds that standard user accounts expire after 90 days, while administration accounts expire after 60 days. Here are some best practices regarding password management:
• Change default account passwords to your own custom passwords
• Do not use the same password across multiple accounts
• Production account passwords must not be used in non-production (testing) environments
• Password fields must display only masked characters (typically appearing as “●●●”) as the user types in their password, where technically feasible
Brokers should also be aware that they do not have to rely on passwords as the sole barrier to entry into their computer systems. Many systems, such as Twitter, use two-factor authentication (2FA), which adds an extra step to the basic login procedure. Twitter’s 2FA verifies logins by sending an SMS text with a code to the user’s phone, requiring both the code and their password to log in. Google Authenticator is a free app for iOS (Apple) and Android that can be used with Google accounts and other websites to provide this type of 2FA. Biometrics for 2FA, such as a fingerprint or voiceprint, are also becoming more common. The minor inconvenience of following an extra step in the login process is more than offset by the security advantages of 2FA.
“Our brokerage has a cybersecurity policy in place for employees; we have specific policies regarding email and web browser usage. One of the key initiatives we’ve undertaken for cybersecurity is to implement regular updating of passwords and standards around password strength,” said James Archer, President, Knight Archer Insurance, in a 2016 video interview with CSIO. Brokerages in all provinces would be well advised to do the same as Knight Archer by incorporating procedures requiring good password hygiene directly into their official brokerage cybersecurity policy.
CSIO’s intention is to raise awareness around the topic of cybersecurity rather than to make specific recommendations, and brokerages are encouraged to seek the expertise of security experts to assist in the development and implementation of their cybersecurity policy. There are, of course, more aspects to cybersecurity than just password security and CSIO.com contains a variety of useful, free infosheets on other subjects, including ransomware and social engineering. Create an account on CSIO.com to stay informed of the latest tools and resources from CSIO.