3 Key Risks with Employee Passwords in the Financial Services IndustryHow can financial services institutions better protect employee passwords?
Banks, credit unions, investment companies, and other financial services organizations are facing an ever-growing threat from cybercriminals. In 2019, we have seen many high-profile data breaches hit financial organizations, resulting in financial repercussions and damaged brand reputation.
- In July, hackers successfully stole personal information of more than 106 million people from financial corporation Capital One - the third-largest issuer of credit cards in the United States.
- In 2018, attackers stole $13.5 million from India's Cosmos by compromising their financial systems.
- Over the past few years, the MoneyTaking hacking group is suspected of stealing millions from banking institutions in the UK, US, and Russia.
- In April 2019, the CEO of JPMorgan Chase & Co., Jamie Dimon, told shareholders that cybersecurity "may very well be the biggest threat to the US financial system."
- Bank of America Corp's CEO, Brian Moynihan, seems to echo that sentiment when he said that the lender's cybersecurity unit operates with an unlimited budget.
Financial services organizations have been increasing investment in cybersecurity tools and cybersecurity awareness amongst employees, but attacks on Active Directory are still prevalent. A large risk continues to be a simple attack vector: compromised passwords.
Password Reuse and Bad Passwords
How do financial services institutions secure the essential password layer without creating more friction for employees to access their email and corporate infrastructure?
According to a 2019 Online Security Survey by Google, 65% of people "reuse the same password for multiple or all accounts." To make the matter worse, many employees reuse passwords across their personal and work accounts, which puts their employer at risk. According to a LogMeIn survey, 62% of employees reuse the same password for work and personal accounts. With the increasing amount of online services that we use, remembering a unique password is taxing. The average amount of passwords users need to recall is estimated to be over 90+ passwords within 5 years. This leads to employees reusing or using iterations of old passwords across work and personal accounts.
But even a strong passwordis useless if it is exposed online and the user reuses it across different sites. Many financial services employees also continue to use bad passwords, commonly used passwords or passwords regularly found in cracking dictionaries. In the past companies would enforce password expiration policies to combat this, but now both NIST and Microsoft are recommending against the forced periodic password reset. Financial organizations should instead educate employees on robust, unique passwords, and screen for compromised credentials.
Making matters worse, many financial services employees continue to use bad passwords, commonly used passwords or passwords regularly found in cracking dictionaries. While many financial services organizations have robust training on creating strong passwords, only 25.3% of US organizations check employee accounts against common password lists, according to OneLogin. This is a risk because this is one of the most common threat vectors for accessing internal systems. Employees clearly need help in this area.
According to the Privileged Access Threat Report by BeyondTrust, 69% of organizations cited that colleagues sharing passwords was an issue. This is an increase from 49% in 2018, yet most companies have not relaxed their policy on colleagues sharing passwords. A 2016 study by password manager LastPass found that 61% of people are more likely to share work passwords than personal passwords. There are several reasons why someone might share their work password, but all are dangerous for the company. 42% of people share work accounts and passwords to collaborate with teammates, and 34% cited the reason as reducing costs, presumably on user-limited software. 38% of respondents said that it was the company's procedure to share passwords to access certain accounts. Any financial organizations operating such a policy should act to ensure that all employees who need access to an account have their own unique login credentials.
Credential Theft- Internally and Externally
Credential theft remains a significant cause of data breaches and can allow cybercriminals to lock employees out of their accounts and conduct account takeovers. Credentials and passwords are commonly stolen from previous data breaches and leaks, phishing attacks, or credential-stealing malware then used to access sensitive corporate accounts. It is a massive vulnerability for not only financial services organizations, but organizations across all industries. According to Cyren and Osterman Research, 40% of enterprises experienced Office 365 credential theft. Furthermore, senior employees often have privileged access to accounts or have enough influence to incent employees to gain sensitive data. If a hacker can gain access to the account of a CEO or executive, they can impersonate them to gain access to highly sensitive information. In 2017, it was estimated that around 30% of CEOs had their credentials leaked through historic data breaches.
Financial services organizations need to be vigilant with their password security practices to reduce the risk of data breaches and other cybersecurity attacks. Strong password policies need to go hand-in-hand with an educated workforce and a work culture that is supportive of cybersecurity best practices. With new regulatory pressures, compromised password screening is a security standard, not just a nice-to-have. While updating password policies may require some time and planning, it should be a top priority, because compromising financial systems is a top priority for cybercriminals.
To learn more about low-friction ways to strengthen passwords in Active Directory, please visit: www.enzoic.com/active-directory/