It is fair to say that cybersecurity is never far from the headlines. But two stories have really caught our eye this month and are stepping stones to sharing useful information with you.
The first was a piece of government legislation that will force device manufacturers to ban the use of weak passwords in their technology. The second is still an evolving story at the time of writing, but relates to the Ministry of Defence (MoD) payroll supplier who has suffered a data breach, leaking the personal details of more than a quarter of a million employees!
Let’s take a look at both stories in more detail.
“password” will no longer cut it as a password!
Let’s get one thing straight – “password” has never cut it as a password, but along with “123456” and “admin” it is now officially banned. The ban will be enforced via technology companies who must build better security protocols into their devices.
This is a pioneering law currently not seen anywhere else in the world. Going far beyond computers, the law extends to any connected device from smart phones and watches to fridges and TVs. So while this will protect the consumer space, it will also definitely affect SME businesses and charities with devices like routers and phones coming under the remit.
The government cited research by Which that found that the kind of smart devices which will now be protected could be subject to 12,000 global hacking attacks in a week. Just five devices could accumulate 2,684 attempts at breaking week passwords.
What should you do?
The legislation applies to new products so we will slowly see this basic level of protection enter the market. It is, though, a timely reminder on password good practice and user awareness.
We have long advised companies to set up two-factor authentication (2FA) wherever possible on hardware and software, to make them much less vulnerable to such hacks. Where 2FA is in use, even with a correct password a hacker will not be able to gain access to a system because they will also need an entirely separate code – such as one generated from an authentication app.
It is not just poor password practice that can leave you vulnerable. Unfortunately, human behaviour is often the weak link in any company’s cyber defences, so we recommend clients invest in our user awareness training to get their staff more savvy on these matters.
Our MoD supply chain expertise
We have a speciality in advising companies within the MoD supply chain. They have heightened security standards just to operate in this field and we have a range of technologies and consultative approaches to help them succeed. We also help them gain and keep the Cyber Essentials Plus accreditation, vital to being accepted in this supply chain.
So we are following the story of the MoD payroll hack with particular interest. A third-party supplier looking after payroll for large swathes of military personnel was breached in an attack thought to have been ongoing for three weeks. As many as 270,000 employees have had data harvested, including identities and financial details. It has not been disclosed how sensitive some of the roles were, but this will be a significant added worry.
From what we know, suspicious patterns of activity were what alerted those monitoring the data to the breach, and now a long and complex investigation will take place, not to mention support for those who have had data taken.
We don’t know exactly what defences were in place, but the suggestion is that a foreign state, with all the resources that brings, is behind the attack. When we work with companies in the MoD supply chain we will consult closely to understand their risks and business objectives.
We can bring in solutions like Managed SOC (security operations centre) which deploys a manned team along with an array of tools to constantly monitor your systems, as well as targeted fixes like device security, email security and as we mentioned above, user awareness training.
Please get in touch with us if you would like help with cyber security.