Multi-factor authentication. Biometrics. Cybersecurity training. Organizations do a lot to keep their employees from falling victim to a cyber attack. And in the financial services sector, a breach of consumer data can trigger major penalties. But what if the solution is hiding in plain sight? Darren James has one word for you — passwords.
After the 2020 SolarWinds hack, the Biden Administration took significant steps to increase cybersecurity regulation across industries in the U.S. — and the finance sector was no exception. In 2021, the FTC updated its GLBA Safeguards Rule to require FTC-regulated financial institutions to develop comprehensive cybersecurity strategies and comply with industry regulation to protect consumer data. At the end of 2022, these regulations were tightened to further protect customers within the sector. But with so much change, where should organizations start?
The answer is simple and oft-overlooked: passwords.
Cybersecurity regulations across the finance sector are ramping up
The FTC’s GLBA Safeguard Rule requires financial institutions to safeguard sensitive customer data and provide adequate privacy. This extends to financial institutions that offer adjacent products and services, like insurance or loans. Under the regulations, an institution is required to have an “adequate system of internal controls that provides reasonable assurance that the institution will achieve its objectives regarding reporting, operations and compliance.”
This not only affects the organization itself but also means it must seriously vet the software it uses, existing systems and any third-party partners and providers to make sure that they, too, are compliant. As a result, the effects of this rule can also be felt across industries. General systems that financial institutions rely on are often used across various sectors — Microsoft Office365, for example. These systems will also need to adhere to these rules, making software safer for everyone. These rules also extend to password-based systems like password managers.
Taking a password-focused approach
Despite efforts to move to a “passwordless” world, the reality is that passwords are not going anywhere. They’re a universal system and, crucially, a concept that everyone understands. However, end users often suffer from password fatigue and, as a result, rely on inadequate passwords. Consequently, passwords are often the weakest link in an organization’s security posture. But what does an inadequate password look like?
We’re all, perhaps, guilty of using bad passwords. The most common password mistakes include using the same password across multiple websites/accounts, taking a pattern-based approach (for example, Companyname1!) or ignoring complexity rules altogether. The 2023 Specops Weak Password Report found that the most common base term used to attack networks across multiple ports was, staggeringly, password and more than 88% of passwords used in attacks were 12 characters or less.
Fortunately, for organizations, a strong password policy is an easy and affordable place to start with cybersecurity compliance. A strong password policy could include adding complexity requirements, having tools that check for breached passwords or adding multi-factor authentication steps. It’s a quick fix that can be aided by tools that can be deployed quickly, removing burden from IT teams. Building a strong and comprehensive password-focused mentality that can be instilled in everyone, from end users to employees, is key. It can make end users feel empowered too, given that it’s non-invasive.
Passwordless security is a wonderful goal, but it will take years before we get to a stage where this is possible for every organization or system to implement. Yes, passwords are often the weakest link, but they are also among the lowest-hanging fruit in implementing better security policies.
Tabletop exercises testing an organization’s cybersecurity plan can help reveal weaknesses. And they’re also prized by state authorities investigating breaches. Cozen O’Connor attorneys Meghan Stoppel and Hannah Cornett talk about the importance of interactive simulations and share best practices that could help firms avoid harsh penalties.Read more
How can organizations tighten password security?
Organizations often think making users choose complicated and long passwords is the answer, which does hypothetically strengthen defenses, if measured virtually. However, this only encourages people to write passwords down to remember them. Similarly, text-based MFA can often fall short of strong security, as it’s, arguably, a virtual Post-It note. If you step away from your desk with your notifications open, anyone can access it.
So, how can we bridge the gap between passwords and passwordless systems? The answer is passphrases. Encouraging teams to think about passwords that are made up of three random words is a good place to start. Passphrases should consist of three random words that mean something to you and nothing to anyone else. You can further strengthen security by deliberately misspelling words or adding random special characters. If done correctly, users can keep these passphrases forever or only change them if they are ever found in a breach.
Another strategy is adopting a mindset that assumes a security breach will certainly happen and the only way to mitigate damage is by relying on security-first behavior. That means always getting the basics right — applying updates, testing backups, having a contingency plan, avoiding patterns and being security aware.
Bottom line for compliance
Organizations can keep up with compliance by implementing some form of MFA. When it comes to password-based security, there are three important factors that must be considered: a knowledge factor (something that is known to the password holder), a possession factor (like a hardware token) and biometrics (like face ID). The most secure security systems will employ at least two of these things, as each other these systems are not necessarily perfect on their own.