Working from home isn’t a new phenomenon for most of us now, and some organizations across the world have decided to permanently embrace the culture of remote work either entirely or as a part of a hybrid work environment. Unfortunately, one of the most serious security challenges that all organizations are currently facing – credential theft – has only been amplified by the switch to remote work, and this threat will continue to increase without the proper security measures in place.
81% of hacking-related breaches involve credential theft, according to Verizon, and that’s largely down to the implementation of poor password practices, such creating weak passwords, re-using them, and sharing them via email or instant message apps. Combine these bad habits with a work fleet of personalized devices connected via unsecure internet connections, and you’ve got the recipe for a data disaster.
To find out more about how organizations can protect their employees from credential theft and secure their assets against subsequent breaches, we spoke to Darren Guccione, CEO and Co-Founder of Keeper Security. Darren has been in the technology space for over 20 years; with an experienced background in both engineering and finance and with a flair for creativity, he co-founded Keeper Security as an innovative solution to the challenge of preventing password-related data breaches, no matter where an organization’s workforce is based.
Launched in 2011, Keeper Security is a password and secret management solution that helps organizations protect corporate accounts by managing and securing employee access to those accounts. Its layers of sophisticated security features work together to protect organizations against hacking threats and credential theft-related breaches, whilst enabling them to re-gain visibility over their business-wide state of password security. At the same time, Keeper simplifies the task for each user to create and store strong passwords for each of their accounts, including those in the cloud and running on multiple devices, radically reducing the factor of human error and the risk that it can pose to corporate data security.
A Secure Approach To Secret Storage
Every five years, the average number of online accounts that each person has doubles. When that number reaches the hundreds, it’s easy to see how managing the passwords to each of those accounts can become a pretty mammoth task. Password managers like Keeper simplify this task for both the system administrators monitoring the security of those accounts, and the end users who own them. They do this by encrypting those passwords and storing them safely in a digital vault until the user needs to access them, which they can do by entering the encryption key or “master password”. This means that, with only one password to remember, users can securely access and update all of their account credentials from one secure space.
“Keeper uses a zero-trust framework and a zero-knowledge architecture,” explains Darren. “This means that nobody but you ever has access to – or knowledge of – your master password nor your vault. Third parties shouldn’t be able to decrypt and view your information.”
The integration of multi-factor authentication (MFA) is also a key feature of any password management solution, as It ensures that a hacker wouldn’t be able to access a user’s vault, even if they managed to crack their master password. MFA does this by verifying a user’s identity via two or more authentication methods, such as an authenticator app, or a fingerprint scan.
“Two-factor authentication and biometrics have allowed us to build an application that’s very secure but, at the same time, extremely easy to use. We work hard to unify convenience with security,” says Darren. Ease of use is extremely important when it comes to any cybersecurity solution; if implementing security means sacrificing working time, employees revert back to bad habits more quickly than you can say “Qwerty”.
Within the vault itself, password managers also encourage best practice when it comes to securely sharing passwords amongst colleagues. Post-it notes slid across a desk are bad enough, but at least they can be shredded after the recipient has had a quick glance; in a home office environment, users are growing accustomed to emailing or instant messaging account credentials to one another. If any of the sender or receiver’s contacts fell victim to a cyberattack, the hacker would instantly have access to all of those shared credentials hiding in that user’s inbox.
“The way that information can be shared, for example with family member or business colleague, is very powerful and granular,” says Darren. With a few clicks, users can sign into their vault and securely share a password without the risk of anyone but their intended recipient ever seeing that information.
Battling Credential Theft In An Ever-Changing Environment
“Password security is the biggest problem that any individual, family or organization is facing,” says Darren. “It’s a war that we’re fighting constantly.”
This war is becoming even more turbulent as we’ve seen firstly a huge shift to remote work, and now approach a second shift to a more hybrid office environment.
“When you’re transacting with an application, a server in your office, a cloud server or a website – it could be anything – that object is under potential attack by a cybercriminal,” Darren explains, “and we’ve seen a big shift to distributed remote work, which basically proliferated overnight.
“Any weaknesses that companies had with respect to password security were catalysed by the pandemic, and we’ve seen a huge increase in cyberattacks because of it.”
The modern workplace is an ever-changing, volatile environment, both in terms of new technologies and new ways of working. Organizations are increasingly adopting new cloud ways of working and learning now to use new technologies, all whilst their users are working across multiple devices and joining the corporate network via less secure internet connections. This means that there is an abundance of opportunity for bad actors to infiltrate a business system.
A lot of these attacks, Darren says, originate from stolen credentials being sold on the dark web and used in credential stuffing, replication and account takeover attacks.
“Phishing is an easy, low-tech way of stealing login credentials from an unsuspecting victim,” he explains. “It’s very straightforward. But the attacks are getting far more sophisticated as they’re being financially backed – some cybercriminals make billions of dollars doing this!” In the past, disabling a computer was the main goal for a cybercriminal. Nowadays, it’s all about making money.
“One the computer is disabled, a credit card screen pops up for you to send them money to unlock your systems,” says Darren, “and it’s not just targeted at the big enterprise anymore. It’s everyone.”
Small- and mid-sized businesses (SMBs) often don’t have the security architecture in place to protect themselves from cyberattacks. This largely stems from the “hackers don’t care about us” misconception, created by the fact that the overwhelming majority of attacks that make headlines are targeted at enterprises who’ve lost billions of dollars. However, this lack of architecture makes SMBs an easy target for attackers who want to go after the “low-hanging fruit”. And, unfortunately, most SMBs would struggle to recover financially from such an attack.
“It doesn’t matter how big or small you are, or what industry you’re in, everybody is subject to the same risk factors every day. If you have one or two people, or upwards of 50,000 people, you have to take measures to make sure you’re protected and don’t fall victim to an attack. And we’re here to help.”
How To Encourage A Culture Of Security When “Old Habits Die Hard”
It’s 2021. We all know how to create strong passwords, and why it’s important to keep our accounts safe, yet Password1 and qwerty are still consistently at the top of a range of common password lists. This, according to Darren, comes down to basic human nature. When employees have so many passwords to remember, it’s easy just to add a different figure onto the end of it for each new account. Quite simply put, he says, “Old habits die hard.”
However, password management solutions solve this problem in a secure, cost-effective and simple way, generating and storing strong passwords for every website, application and system that an employee uses. On top of that, they monitor the health of each user’s existing passwords by searching the internet for leaked credentials.
“The dark web contains over 20 billion stolen usernames and passwords, taken from public data breaches,” Darren says. “BreachWatch is a feature integrated into our security platform. It scans the dark web in real time and compared those stolen credentials against information that a user has in their vault. If there’s a match, BreachWatch immediately alerts the user and walks them through how to quickly rotate that password.”
Implementing a password manager is easy, but password security has to be engrained in the organization’s culture. Adopting the right cybersecurity strategies from the top down is the best way to do this, Darren says. “It has to be mandated by senior leadership and cascade down as a policy.”
However, that’s not the only advantage to rolling out a manager company-wide. “Most CISOs and CIOs have no visibility over their organization’s password security protocols and practices,” Darren explains. “They don’t know if people are writing things down on post-it notes or in Excel files.
“Adopting this type of security gives you tremendous visibility, control and security over your organization’s password and cybersecurity framework.”
The Future Isn’t Passwordless
Many industry analysts predict a future where new technologies move us away from passwords altogether, but this isn’t realistic, Darren says, because of the fundamental need for encryption keys to secure information. The technologies that we often refer to as “passwordless” aren’t really passwordless at all.
“There are different authentication technologies out there, like biometrics, that you can layer over the top of a password, but underneath all of that, you’re still calling upon a password to handle the encryption and decryption of information, as well as the baseline authentication,” he explains.
The question is not whether we will continue to use passwords as technology evolves, but rather how we’ll interact with them. Eventually, Darren predicts, we’ll be allowing technology to do the “heavy lifting” for us, so that we as users can access applications and systems with the click of a button, rather than by typing in individual passwords.
“It’s not about eliminating passwords; it’s about eliminating the need to transact with passwords. Let the technology take that away from you, so that you can focus on what’s going to drive your business forward.”
Password management and single sign-on (SSO) solutions are key stepping stones in this advancement in technology that will bring us closer to a “seamless” login experience.
To Achieve Cybersecurity: Ask For Help, Cover Your Endpoints, And Patch Your Software
“Achieving cybersecurity” may seem like a pretty huge task for most organizations, and a dream for others. And those would be right – we live in a vicious circle of attacks and updates to defend against those attacks. However, there are certain steps that all organizations can take to keep them, if not invincible, then at least one step ahead of the bad actors.
Firstly, says Darren, organizations need to ask for help where they need it. “Cybersecurity is not a mystery, but a lot of people get intimidated and confused by it, and by what it means to protect an organization with cybersecurity tools and technologies. But companies like us are here to help you.”
There’s no silver bullet solution to cybersecurity, and no existing product that will completely eliminate the risk of attack, but implementing the right solutions can decrease that risk of attack greatly. Cybersecurity vendors like Keeper can offer guidance and support, as well as the technology, to keep your organization safe.
Secondly, organizations need to protect their endpoints. “This is especially important in distributed remote work,” Darren says. “Run an endpoint security platform in the background to prevent external threats from infiltrating your machine. That could be malware, or a credential stuffing attack – you need the ecosystem in place to make it difficult for a third party to breach your system.”
Last, but certainly not least – though often overlooked, according to Darren – is software patching. “When there’s a security or firmware update on your operating system or any software that you use, make sure you run those patches and updates.” Patches ensure that you’re protected from legacy vulnerabilities, and rolling them out regularly ensures that your employees are working in the most secure environment as possible from the moment they log in.
Thank you to Darren Guccione for taking part in this interview. You can find out more about Keeper Security and their password management solution at their website and via their LinkedIn profile.