Most users cannot remember complex or multiple passwords. As a result, we find most people will use weak passwords, and tend to reuse that weak password across multiple accounts. If one account is compromised, this could easily lead to complete compromise of all online accounts. By using a password manager such as KeePass, users can have strong, complex passwords auto-generated and stored for them.
MFA is not an option, it is a requirement
Passwords should be complex, but we all know that isn’t the case most of the time. Utilizing purpose-built tools, most passwords can be cracked in less than a day. Utilizing MFA adds an additional layer of security to your accounts, as it enables “What you have”. Your password is “What you know”, your mobile device with Authy MFA is “What you have”. If your password were compromised but you have MFA enabled on the account, your account should still be safe. The extra few seconds it takes to login is worth your account and privacy.
Separation of Duties
Employees with access to financial and business critical sectors are primary targets in phishing campaigns. The goal of the attacker is to find an employee in finance who can create, authorize, and distribute checks. By implementing Separation of Duties, you can ensure that no single employee can complete all processes in a sensitive task.
Role Based & Least Privilege Access
Another way to lessen your chances of complete compromise is to implement Least Privilege Access (LPA) and Role-Based Access Controls (RBAC). By implementing RBAC and LPA, you add a level of confidence that if a user were to be compromised, any data above their access level should be secure. Not to mention implementing these two access control methods simplifies the process of account creation. If you have defined roles, you can mitigate permission crawl and ensure your employees or users only access what is meant for them. This will benefit you in lowering the chances of pivoting and can even have positive impacts on lowering the chances of insider threats.
The best kind of security is security that is understood and practiced by all. Take the time to develop thought out, user friendly SAT programs. Don’t be afraid to involve your marketing teams either. It’s no secret IT professionals aren’t exactly the best “people” people. Work with your marketing team to get the relevant info together and presented in a format that is friendly and easy to understand by all. The weakest link in your Security posture will always be your users. No matter how much we train them, one will always click the phishing link or fall for the Social Engineering attempt. That’s just the reality. But that doesn’t mean you shouldn’t take all the steps you can to educate your users and help them help you.