October 30, 2017 1:23 pm
No organization—for-profit or nonprofit—wants to experience a password breach. Unfortunately, it does happen and in recent years unauthorized access to companies’ databases has grown into a serious concern.
Over 1,000 data breaches occurred in 2016 alone, affecting millions of people. If our current security measures don’t get any better, many more organizations will face similar circumstances.
One way organizations can better prepare for and prevent password breaches is by implementing a plan of action to ensure that information is protected.
Here are six steps you can use to protect your information:
- Create strong passwords.
- Use two-factor authentication and password alternatives.
- Delete old or inactive accounts.
- Make sure all your software is up-to-date
- Stay in the know about recent password breaches.
- Notify users and provide them with ways to protect their information.
Keep reading as we provide vital tips to secure your information after a password breach. For a more in-depth look at password security, check out our comprehensive guide!
Password Breach Step #1: Create Strong Passwords
Why Creating Strong Passwords Protects Against Password Breaches
The first step your organization should take if you suspect a data breach is to change your passwords. In a recent study, it was revealed that 63% of confirmed data breaches involved unauthorized users taking advantage of weak or compromised passwords.
But just changing your passwords isn’t enough. Without enforcing security guidelines, your users are likely to create similar weak passwords that could leave your business susceptible to another attack.
Even organizations that stick to high password standards might be using outdated best practices.
How to Create Better Passwords
The National Institute of Standards and Technology (NIST) recently published updates to their digital identity guidelines that advised companies to:
- Avoid periodic password changes. Studies have shown that frequent password changes actually lead to weaker credentials. Users are more likely to create short, easy-to-guess passwords because they’re forced to create and remember a new password every couple of months.
- Screen new passwords against lists of commonly used passwords. Companies just have to look at the most used passwords to see that users are still settling for convenience over security. To make things even worse many of these passwords have been compromised in previous breaches. Screening these passwords means that you can avoid using very weak passwords.
- Remove arbitrary password complexity requirements. Asking users to include at least one uppercase letter, number, and symbol results in passwords like “Fido123!” and “Jessica1234%” which are very predictable and easy to crack.
Here are a few more do’s and don’ts your organization should follow:
Organizations need to drop these dated password guidelines and focus on what makes an account truly secure.
Password Breach Step #2: Use Two-Factor Authentication and Password Alternatives
Why Two Factor Authentication Protects Against Password Breaches
Let’s face it: passwords aren’t very secure. Users need to understand how password security works to truly create a secure account. Plus, evolving technology makes it possible to crack even complex credentials.
Still not convinced? Check out this guide on why passwords won’t protect your website.
Implementing a second layer of security is a must for any organization that wants to protect itself from a password breach.
Two-factor authentication and passwordless login systems help to verify that users are who they say they are, making it difficult for unauthorized users to gain entry.
How to Use Other Authentication Methods
Essentially, two-factor authentication still requires accounts to have a username and password. When users enter their credentials., they’ll be asked to enter a unique code that’s usually sent via mobile phone.
You’ve probably used two-factor authentication before as it’s becoming a popular security feature. If your company’s email and software accounts offer two-factor authentication, enable it.
While it does take an extra step, cybercriminals will have a much harder time accessing your account. Even if your password becomes compromised, the hacker will still need your cell phone to complete the login process.
Passwordless login is very similar to two-factor authentication, but the process is more convenient because it takes out the extra step.
There are two popular types of password alternatives:
- Email authentication, which uses the person’s primary email account to verify their identity.
- Biometrics, which uses the person’s biology—fingerprint, iris, face—to grant access to an account.
For more detailed information on these options, Swoop has an in-depth look at even more password alternatives.
Depending on the type of method you choose, passwordless systems can be easy and inexpensive to implement.
Don’t just incorporate these additional layers of security internally; make two-factor authentication and passwordless login available to your patrons and donors as well.
Password Breach Step #3: Delete Old or Inactive Accounts
Why Deleting Old Accounts Protects Against Password Breaches
Old and inactive accounts are just as likely to be compromised as active accounts.
Let’s say you have an old email account. It’s likely to have personal information like emails to your accounts when you requested a password change and possibly a few unprotected credentials.
Yes, it might be shocking to learn that 1 of 7 company users share their passwords with other users and these credentials are often shared via email.
Moreover, older accounts tend to have weaker passwords because users were most likely following outdated guidelines or none at all.
How to Clear Out Old and Inactive Accounts
Your organization should conduct regular checks to remove any unused accounts and get your employees in the habit of deleting messages that link to other accounts. For instance, remove any password reset emails and messages that have account credentials (which should never be sent via email!).
Your organization should also remove accounts when:
- You switch software providers or stop using a specific tool.
- An employee leaves the businesses.
- An account has been inactive for more than 6 months.
Unfortunately, manually visiting each site is the only way to cancel an account. If your organization has an IT team, they can identify unused accounts and take the necessary steps to deactivate them.
Password Breach Step #5: Make Sure All Software is Up-to-Date
Why Updating Software Protects Against Password Breaches
A security breach can cost companies hundreds of thousands of dollars. Many times the breach can be avoided by creating stronger passwords and updating software.
One way that hackers gain access to your company’s sensitive information is through vulnerabilities in your software or computer programs.
When a software provider identifies errors in the code, they create free updates or security patches to prevent these errors.
The problem is that many companies don’t take the time to regularly update their software, making them easier targets for a data breach.
How to Update Your Software
Everything that your organization uses—from your CRM to your e-commerce or donation tools to your computer programs—should be updated often.
Maintaining software updates should be assigned to a specific person on your team like your IT specialist.
Have your IT specialist check your software providers’ websites for updates to determine which upgrades or patches apply to your company.
Additionally, this person should install anti-virus and anti-spyware software on all your devices and maintain consistent updates on these tools.
If your company does experience a breach, you should run through every program to ensure that it’s be upgraded with the necessary patches
While these updates, won’t guarantee that your organization is protected from a security breach, it will strengthen your defenses. Take the time to explore your login and security options; even free or inexpensive WordPress plugins can make a huge difference.
Password Breach Step #5: Stay In the Know About Recent Data Breaches
Why Staying In the Know Protects Against Password Breaches
Large and small companies have all been victims of password breaches, and it shows that everyone can learn more about password security.
By being aware of these instances and other data breaches, you can see what went wrong and create solutions to prevent similar situations from happening in your organization.
You’ll become more familiar with the various methods hackers are using to crack passwords and retrieve sensitive information. This knowledge can help create stronger credentials and implement other ways to protect your information.
Additionally, staying up-to-date can keep your company protected. If a company you partner with experiences a data breach, there’s a chance that your information could be compromised.
How to Stay Up-to-Date on Password Breaches
There are plenty of resources your organization can use to stay in the loop on recent data breaches, including:
- Privacy Rights Clearinghouse is a nonprofit that focuses on educating users about online protection. They also maintain an ongoing list of data breaches that can you can filter by industry and year.
- Verizon DBIR Report is a comprehensive look at data breaches. Verizon publishes a report every year and provides suggestions on how companies can improve their security.
- Krebs on Security is a blog published by former Washington Post reporter, Brian Krebs. His blog includes a wide range of articles that are relevant to consumers and companies.
Password Breach Step #6: Notify Users and Provide Them With Ways to Protect Their Information
Why Notifying Users is Important When You Suspect a Password Breach
As you make improvements to your internal security, it’s also important to notify your customers about the password breach.
Admitting that your organization experienced a password breach can be difficult, especially when it means potentially losing the trust of your users. However, their sensitive information is at risk and they should know as soon as possible.
Keeping users in the loop will show your customers or donors that you’re taking every effort to rectify the problem.
How Should You Notify Users About a Password Breach
When you suspect there’s been a password breach, you should send all of your users a letter or email notifying them of the breach and providing them with ways they can protect their information.
Here a few things you should include in the letter:
- The type of information that was compromised. Depending on the nature of your organization and the severity of the breach, the type of information that was leaked will vary from account credentials to credit card numbers. By providing this information to users they’ll have a better idea of what steps they need to take to protect themselves.
- Information on how users can determine if they were affected. Give your users information and ways to figure out if the breach leaked their information. Sites like Have I Been Pwned? identify if a person’s email is linked to any data breach in their system.
- Next steps on how to secure their accounts. Advise users to change their passwords and provide tips on how they can create stronger credentials. By giving your users clear steps on what to do, they can stop hackers from causing even more damage.
Lastly, keep your donors up-to-date on any new information you discover. When you’re transparent about the password breach and your efforts to solve the problem, users will appreciate your honesty.
Dealing with a data breach is difficult, but the first step is learning how you should handle the threat and prevent it from happening again. Now that you’ve read through our guide, you know what actions you need to take.
For more information on password breaches and securing your accounts, keep reading these additional resources:
- How Strong is My Password? | “Not Very,” Security Experts Say: Interested in learning more ways to create stronger passwords? Security expert John Killoran offers tips on how to secure your accounts.
- Tips to Create a Better Password and Username Login Process: Password security shouldn’t just be an internal concern. Learn about ways you can make your customers’ accounts secure and convenient.
- Questions About Passwordless Login: If you want to learn more about password alternatives, this article has the answers to some of your most pressing questions.
This post was written by Jamie L.