How To Protect Your Business Accounts Against Brute Force Password Attacks
Account credentials are among the most sought-after pieces of information among cybercriminals. With the aid of cutting-edge technology and tried-and-tested methods such as brute force attacks, these criminals can wreak damage on individuals and businesses alike.
Here we take a closer look at brute force attacks, the impact on businesses, and ways for organizations to protect themselves.
What is a brute force attack?
A brute force attack is a software-assisted method that threat actors use to obtain information such as a password or a data encryption key. It involves an automated program or bot attempting to access an account, network, or system by systematically testing potential passwords.
For example, if you were using the word “password123”, and the brute force program tried all combinations of upper case and lower case letters (six characters), plus numbers (three characters), there’s a good chance the software would eventually guess your password because there are only so many possible combinations of these nine characters.
In addition, some of the programs used to carry out brute force attacks are programmed to test the world’s most common passwords first, and “password123” falls into this category.
Brute force attacks come in various forms, including dictionary attacks, hybrid and reverse brute force attacks, and credential stuffing. All these rely on advanced algorithmic software, and the some of them leverage the potential of known, previously compromised passwords.
Password theft stats and figures
Password theft is an ever-present and pressing issue. According to the 2020 Verizon Data Breach Investigations Report (DBIR) financial gain remains the key driver for cybercrime when 86 percent of the breaches are found to be financially driven.
Of these breaches, the vast majority (70 percent) were caused by threat actors, with organized cybercrime making up 55 percent of this group. Credential and password theft, and social engineering attacks (such as phishing) accounted for more than 67 percent of all incidents.
It’s not suprising that 37 percent of credential theft breaches involve weak or previously compromised passwords.
The impact of password theft on businesses
The impact of a data breach on business cannot be understated. As reported by CNBC, the average cost of a breach in 2019 was US$200,000, a substantial chunk of which may go towards regulatory fines if the business is found to have insufficiently protected customer data.
Research from Accenture shows that around 43 percent of attacks target small to medium-sized businesses (SME). SME’s are a favored target for hackers, thanks to an assumed lackadaisical attitude to cyber security.
More often than not, threat actors are correct: just 14 percent of SMEs have the right systems in place to properly protect themselves from cybercrime.
The US National Cyber Security Alliance suggests that around 60 percent of SMEs close their doors, both digital and otherwise, after an attack.
Ways to prevent brute force attacks
1. Protecting your business starts with your staff
Because a significant number of breaches occur courtesy of human error, whether through clicking on a suspicious link in a well-disguised email or by using a weak password to access a company’s network or systems, it’s wise to invest in cyber security training programs.
These programs ensure that everyone in the organization understands that the onus for good cyber security starts in house.
2. Use strong passwords and avoid password repetition
Strong passwords are generally long and have a minimum of 12 characters, as recommended by the Federal Bureau of Investigation. Strong passwords should also be complex (use a mix of capitals lowercase letters, numerals, and special characters), and unique.
On the latter point, there should be one password assigned to each of your business-related accounts and passwords should never be repeated across different accounts.
Passwords are the first line of defense in protecting your business against brute force attacks. Make sure they’re strong enough to stand up against would-be threat actors equipped with brute force software.
Remember that statistically, it’s much longer and harder to hack a password that’s 12 characters long than one that’s eight characters long.
3. Opt for two-factor authentication
Two-factor authentication (2FA) is a security measure that requires two different types of authenticators to gain access to an account.
2FA adds an extra layer of protection by requiring both “something you know” (your password) and “something you have” (the second factor).
This makes it much more difficult for hackers to guess or steal information than if they were only relying on one method. It should be enacted across all business systems, both client-side and internally.
The most common form of 2FA is a password plus a code sent to a phone, but there are known issues with SMS verification methods. Whenever possible choose authentication apps such as Google Authenticator or Authy or use a hardware-based 2FA.
4. Understand that if it’s online it’s at risk
While particularly important for businesses that conduct online sales or run client-facing systems and services on their websites, all companies rely on online systems in some way or another and need to maintain good cyber security policies and practices, this may involve:
- Probing your website often to seek out any potential vulnerabilities and address these before they lead to a bigger issue.
- Installing captcha on your website to prevent bots and brute force attacks from gaining access.
- Keeping any installed website plugins and themes up-to-date. If there are any old themes or plugins on your sites that aren’t used anymore then delete these as they could contain vulnerabilities.
- Ensuring all software is up-to-date across all company systems.
- Backing up data regularly so that important client information isn’t lost.
- Double-checking that any third-party systems aren’t using default credentials.
It’s better to secure your business now than try to recover after an attack
The costs of a brute force attack is significant. Data breaches can cause you to lose business by interrupting operations, carry a hefty regulatory price, and damage a business’ reputation. Brute force attacks are common, but they’re also easy to prevent with some simple mitigating strategies.
Remember that it’s better to be safe than sorry.