Your Small Business is NOT Too Small to be Hacked: Password Security Best Practices
Source: Royalty-free stock photo ID: 414663433 | Shutterstock
Don’t think a cyber hack could happen to your small business? Well, think again!
STATISTIC: According to Statistics Canada, 19% of businesses with 10 to 49 employees, and 28% of those with 50 to 249 employees, reported being impacted by a cybersecurity incident that affected operations.
…and for smaller businesses, the fallout from a data breach can be devastating.
Establishing password security guidelines should be one of the first steps that small businesses undertake in developing their cybersecurity strategy. In doing so, companies could immediately benefit from increased protection against more than half of attempted data breaches.
Even technologically advanced companies are susceptible to cyber risks, especially ones that are human-controlled – such as passwords. Just look at the below real-life examples of password breach hacks on small businesses to see how real this threat is:
Australian photography company – MailChimp account hacked (2018)
An Australian photography company’s MailChimp account was hacked in 2018. The hacker imported a spam list and proceeded to email fake invoices from the commandeered account. It is likely that the company’s email account was “protected” by a weak password and did not have two-factor authentication (2FA) enabled.
The hacker sent hundreds of thousands of fake invoices to over 150,000 email addresses around the world, resulting in an unfortunate and embarrassing situation for this photography business.
Hopefully this company had cyber insurance. If they did, they would be able to cover the cost of a forensic investigation to determine how the hack occurred in the first place.
The Couple & their Real Estate Agent – Hacked (2018)
Also in 2018, a Colorado couple were ready to finalize the purchase of their dream home, and at closing time wired $272K from their bank, following instructions they had received in an email from – they thought – their real estate settlement company.
However, the company’s email had been hacked, and fraudsters had altered the wiring instruction to make off with the hefty sum. Again, it is entirely likely that the company’s email account was “protected” by a weak password and did not have 2FA enabled.
The couple eventually reached a confidential settlement in a lawsuit against their real estate agent, bank and settlement company. With cyber liability insurance, the included third-party liability covers you against lawsuits from others due to a cyber attack on your business.
The Case of the Telco Password Breach (2015)
Although a telecommunications company certainly is not a small business, a 2015 data breach that a Canadian telco experienced affected many small businesses. 22,421 usernames & passwords and numerous valid credit card numbers associated with the telco’s small-business customers were stolen in the breach, with the data posted on a hacking forum.
“Small-business owners often believe breaches only happen to bigger firms,” said John Garner, president of IT firm iMedia Technology. “Small-business owners need to realize that cybercriminals are going up and down the supply chain. Once an attacker steals data from a small or midsize business, the information is often bought and sold on hacking forums and used in larger-scale attacks.”
With cyber risk insurance in place, the included theft & fraud coverage would cover destruction or loss of digital data resulting from a criminal cyber event. In addition, the included third-party liability coverage covers you against lawsuits from others due to a cyber attack on your business.
Password Protection & Management Tips
For any small business, a sound password protection and management program should consist of rules and policies governing how passwords are created, stored and changed in order to ensure that they remain a secure and reliable means of authenticating identity and controlling access. A security risk occurs when companies are not diligent about enforcing the use of sufficiently strong passwords for access to their business systems, increasing their vulnerability to security breaches by potential hackers.
The well-publicized cyber attack on Ashley Madison in 2015 is just one example of the damage that can be caused by weak passwords. More than 11.2 million of the hacked passwords in this incident were common and overly simplistic, such as “123456”, “password”, “DEFAULT”, and “qwerty”. In contrast, roughly 3.7 million Ashley Madison accounts remained secure, likely because they had strong passwords or passphrases with long strings of upper- and lower-case letters, numbers and symbols.
Small businesses should consider implementing a company-wide practice to require a unique, strong password for each user of each system. A common objection to this type of policy is that such strong passwords are difficult to create and remember, and some employees resort to writing such passwords on a Post-It note stuck to their monitor, undermining the very security the password was meant to provide.
There is a better solution, which is to create a unique, memorable passphrase (e.g., “MyPassw0rdIsStrong!” or “ThisIsaStrongPassword”) instead of random letters, symbols and numbers. This type of passphrase tends to be harder to crack than passwords and is much easier to remember.
Standard user accounts should require a password length of at least 8 characters, while administration accounts with more access to the system should require at least 14 characters. Also note that passwords should never be shared among users.
Best practices for password storage:
Password management software can be useful for tracking usernames and passwords to multiple accounts, but one must follow best practices in the use of such software. For example, this software often uses a master password, which must be particularly strong and should be changed on a regular basis. Industry leaders in the password management software space include Dashlane, LastPass, Zoho Vault and RoboForm.
How often should passwords be changed? Common practice holds that standard user accounts expire after 90 days, while administration accounts expire after 60 days.
Best practices for password management:
- Change default account passwords to your own custom passwords
- Do not use the same password across multiple accounts
- Production account passwords must not be used in non-production (testing) environments
- Password fields must display only masked characters (typically appearing as “●●●”) as the user types in their password, where technically feasible
Companies should also be aware that they do NOT have to rely on passwords as the sole barrier to entry into their computer systems. Many systems, such as Twitter, use 2FA, which adds an extra step to the basic login procedure. Twitter’s 2FA verifies logins by sending an SMS text with a code to the user’s phone, requiring both the code and their password to log in.
Google Authenticator is a free app for iOS (Apple) and Android that can be used with Google accounts and other websites to provide this type of 2FA. Biometrics for 2FA, such as a fingerprint or voiceprint, are also becoming more common. The minor inconvenience of following an extra step in the login process is more than offset by the security advantages of 2FA.
Get Cyber Risk Insurance / Cyber Insurance / Cyber Liability Insurance / Cyber Insurance Canada / Password Hack Insurance
By following the above tips above, you will hopefully avoid experiencing a password breach hack. However, if it does happen to your business, having cyber risk insurance in place would benefit you greatly.
Front Row’s cyber liability insurance policy includes coverage for cyber hack incidents related to password breaches, such as third-party (your customers/clients) cyber liability and first-party (you and your business) cyber liability.
Protect your data and your clients' data. Front Row's cyber insurance policy is available online in 5 minutes; premiums start at $300 CAD. Platinum coverage is $800 CAD. (Prices subject to change) Up to $1,000,000 of protection is available.
90% of small businesses in Canada do not have Cyber Insurance: take a few minutes to protect your business that has taken you so long to establish.
Get a free quote 24/7 and buy online now:
About: Front Row Insurance Brokers Inc. is an independent insurance broker that provides cyber insurance for a very low cost. Should a claim occur, Front Row works diligently with clients and insurers to expedite payment of claims. Front Row has offices in Vancouver, Toronto, Montreal and Halifax.
DISCLAIMER: Informational statements regarding insurance coverage are for general description purposes only. These statements do not amend, modify or supplement any insurance policy. Consult the actual policy or your broker for details regarding terms, conditions, coverage, exclusions, products, services and programs which may be available to you. Your eligibility for particular products and services is subject to the final determination of underwriting qualifications and acceptance by the insurance underwriting company providing such products or services. This website does not make any representations that coverage does or does not exist for any particular claim or loss, or type of claim or loss, under any policy. Whether coverage exists or does not exist for any particular claim or loss under any policy depends on the facts and circumstances involved in the claim or loss and all applicable policy wording.