If your customers or business partners use passwords to access your website or systems they may be putting your business (or their money) at risk — unless you make multifactor identification mandatory.
Use of the same password across different businesses/platforms by users is rampant. People re-using the same password credentials is playing into cyber criminals' hands.
Passwords from old cyber breaches can be harnessed in 'brute force' attacks, where artificial intelligence applications automate login attempts to business systems, until just one of these already compromised passwords provides access because someone has previously used it for another site. This is called 'credential stuffing'.
How password re-use or credential stuffing is exploited in a cyber attack
This password exploitation was reported as the most likely technique used in the Australian superannuation funds breach1, enabling the theft of hundreds of thousands of dollars. Armed with credentials that were likely bought on the dark web, hackers used automated systems to try to log into the websites. All they needed was for a single password to work.
Once they gained digital access they were able to change users' personal details in numerous accounts, such as mobile phone numbers, which are used to verify online transactions via an SMS.
The attacks occurred in the middle of the night, when people were unlikely to respond to an email message requesting confirmation of the change to details. In many cases if recipients ignored the email verification request, the systems apparently defaulted to accepting the updated information.
This highlights the critical importance of unique multifactor identification and authentication. Breaches commonly occur on business sites with weak cyber protection that request user names and passwords for loyalty programs, email newsletters or competitions. When customers use the same credentials over and over again it only takes a single breach in one website to potentially enable access to many others.
With the extent of media coverage response to the super fund cyber breaches, funds had to deal with customer panic as clients faced the fear of lost superannuation account balances and considerable financial concerns. The resulting publicity was an exercise in demonstrating the reputational impact on brand trust when large-scale cyber breaches occur.
How businesses can better protect themselves against cyber breaches: 4 steps
Businesses can ramp up their cyber security and protection for the business and clients/ customers with these 4 key steps.
- Make multifactor authentication mandatory for staff, clients/customers or members, with no exceptions. The investment in time, cost and communications can save innumerable impacts.
- Ensure technical alerts are in place for abnormal logins from unusual internet addresses, locations or devices. Investigate them immediately and block them if they seem suspicious.
- Stop automated hacking before it starts. Implement CAPTCHA, check IP addresses for legitimacy and use rate limiting to detect multiple attempts by the same entity to access your site.
- Invest in cyber insurance. The coverage offered by Gallagher provides protection for a broad range of possible losses and also provides technical support for restoring your data and systems.
What are the protections cyber insurance coverage provides?
Cyber insurance policies may vary depending on the insurer but the key features offered typically include the coverage below, subject to individual circumstances.
- 24/7 breach support
- Revenue loss during systems outage
- Data and software recovery
- Hardware replacement
- Betterment costs
- Cyber crime
- Social engineering
- Fines and legal costs from privacy breaches
- Security and privacy liability
- Multimedia liability
How Gallagher can help
In addition to accessing cyber insurance protection Gallagher offers expertise, advice and resources for building business resilience to withstand cyber security incidents.
