Despite growing awareness of the importance of password security, a recent UK survey conducted on behalf of the National Cyber Security Centre (NCSC) revealed that the password "123456" was used by 23.2 million hacked accounts. "qwerty," "iloveyou," and "password" are also among the most commonly used passwords. "123456" was the password for the 23.2 million hacked accounts.As the legal industry continues to digitise, clients and law firms alike are gradually transitioning to a cloud-based environment.
While there are obvious benefits to doing so, safeguarding sensitive customer and corporate data is now more important than ever. Cyber security should not be viewed just as the responsibility of the IT department; it is everyone's responsibility ensure that data access is properly regulated
How a simple password may lead to a security breach
We were recently piqued by a real-world example that emphasised the importance of effective password security. It serves as a timely reminder of the dangers of using a weak password...
As an example, consider how qwerty can result in 500 false bills.
The organisation received news of a compromised user account at the start of operations on Monday morning. The breach was probed by the IT department, which determined that the user in question had been using the password "qwerty."
On the previous Friday, the attacker employed a password spray attack to guess the proper password."
The attacker used a password spray attack the previous Friday to guess the correct password. password. Password spraying is the practice of attempting to guess commonly used passwords against an individual or group of users. It puts people at risk who use weak passwords.
The attacker obtained access to the user's account as a result of their weak password. They used the user's contact book to send over 500 phoney invoice emails to clients over the course of a week. a few hours The significance of this attack cannot be overstated.
Instead of a falsified email address, the email recipients assumed that the sender was a reputable source is.
The email recipients assumed that the sender was a legitimate source rather than a forged email address. This could lead to other victims and even worse consequences for the firm.
On Monday, once the user alerted the IT department, access to the user account was restored. morning. However, this was three days after the attack, allowing the attacker enough time to put up rules that would mark all incoming emails as read and then permanently delete them.
This approach obscures the attacker's tracks and makes determining where the 500 emails were sent challenging.
This is but one example. This attack may have been avoided if the attacker had gained access. to a user with global administrative privileges consequences.
Such attacks have the potential to cause the legal firm in question to lose a confidential customer and financial data and/or divulge it. The ramifications for this highly regulated business might be catastrophic.
Our Four Top Tips for password security
By following these instructions, you may significantly improve the security of your personal and business accounts, making it far more difficult for a potential attacker to do the same to you.
1. Make strong passwords.
Make strong passwords now. The NCSC suggests choosing three random phrases that are easy to recall but difficult to guess in 20 attempts by someone you know.
As a result, refrain from including any personal information in your password.. Potential attackers can easily obtain information such as birthdays, family and pet names, and even your favourite band via the internet. Assaults via social media or phishing Most websites now indicate the strength of your password and require particular requirements to be met when generating a password. Passwords can also be made more secure by incorporating numbers, symbols, and a mix of upper and lower case letters. Try not to use numerals in a row.
2. Keep your personal and business passwords separate.
Passwords should not be reused between accounts. This lessens the impact of a compromised personal account on your work life, and vice versa.
3. Two-factor authentication
Many websites and services now provide two-factor authentication (2FA), which verifies your identity and prevents unauthorised access to your accounts. This is sometimes accomplished by sending you a secret code through SMS while simultaneously requesting your username and password. It is critical to use 2FA on services that contain sensitive information, notably email services. If a potential attacker gains access to your email account, they can gather information about you and possibly get access to other accounts by resetting your passwords.
4. Be aware of your environment when entering your passwords
When inputting your password, always make sure you're on a secure network. Use a VPN to encrypt your connection and prevent others from intercepting your data as it is transmitted if you are using a public hotspot.
If you don't have a VPN subscription, you can use your phone's 4G connection or wait till one becomes available.. safe connection elsewhere Use caution when entering personal information. In public places, prying eyes may be present, so proceed with caution as you would while entering your pin number at an ATM or card terminal.
More advice on how to keep your work secure may be found in our guide on how to work from home safely. . Visit the Nation Cyber Security Centre website for further information on Cyber Security, which offers information and suggestions for all types of users, from individuals to huge companies.
The National Cyber Security Centre (NCSC) has issued a list of the top 100,000 compromised passwords.
Have I Been Pwned is a wonderful site for determining whether you've been pwned? can Check to see if any of your accounts have been compromised as a result of a website breach.