Your business’s cybersecurity could be haunted by ghosts of the past that put you at risk in surprising ways.
Even if you’re doing all the right things to keep your business digitally safe today, poor security hygiene from years back could still threaten your digital security if you haven’t made certain specific changes.
The Threat: Old, Stale Passwords with Weak Authentication
Let me paint you a picture: there’s a business about your size that seems to be doing everything right.
New employees are required to create long, complex passwords managed by a business-grade password manager.
All employees receive regular training on scam and phishing awareness.
Every system is kept up to date with the latest security updates across software and operating systems.
But they still fall victim to a cyberattack.
How did the bad guys get in? Well, it wasn’t through a new employee with a weak password or poor training. It was through an account belonging to a long-time employee (or maybe even a former employee that hasn’t been with the company for years).
That account wasn’t in active use, and chances are the account holder had forgotten about it. But there it was, sitting there with an easily guessed password (or a username and password combo already stolen and available on the dark web).
Old Policies, Current Problems
This isn’t a hypothetical example. A recent cybersecurity investigation found data theft on a large scale that happened in almost exactly the same way. Old, insecure accounts with no requirements beyond a simple username and password — and, it seems, no requirement for those passwords to be changed at any frequency.
Businesses across industries, sizes, and country borders all saw sensitive data sold on the dark web.
So, how did this happen?
The straightforward answer is that old policies are causing current problems.
Four different poor policy choices could allow this to happen:
- Passwords didn’t expire on a timer (e.g., every 90 days), so years-old passwords still worked.
- Old accounts weren’t deleted or disabled when people changed jobs or left the company.
- Access credentials weren’t kept up to date, so some accounts had more access than they needed.
- Affected systems universally didn’t require multi-factor authentication (MFA), so a simple username and password was all it took to get in.
In some cases, businesses had fixed one or more of these elements in the new-hire pipeline. But old accounts and existing employees got grandfathered in under older, more lax policies.
What This Means for You
Now, hopefully those four points don’t sound overwhelmingly familiar. If they do, then it’s crucial to take action as soon as possible.
But even if you’ve already addressed some weak points with your new hires, now is a great time to audit your policies around older accounts. For example:
- Do you revoke access the moment an employee leaves your company? Do you have processes in place to automate this, or does someone have to remember to do it manually every single time? (What would happen if that person left your company?)
- Do you inventory existing access, making sure employees who have changed roles don’t retain access to stuff they no longer need?
- Do you require all accounts to set a new password at some regular interval (90 days, 180 days, etc.)?
If all of this sounds like a challenge to set up on your own, we can help. Reach out anytime to schedule a consultation.
MFA Remains an Easy, Powerful Deterrent
The agonizing part about all of this is how comparatively easy it is to solve this problem. By requiring some form of MFA for every cloud account, businesses can render stolen or old usernames and passwords nearly irrelevant. With MFA, attackers need another form of authentication (like a fingerprint or randomly generated code) before they can access accounts. Those are exponentially more difficult to obtain, steal, or hack.
If your business accounts still rely on a username and password alone, you’re at risk — and we can help you mitigate that risk. Schedule a 30-minute call to get started.