Is it time to ditch passwords altogether?

Cybersecurity is a priority for businesses and national infrastructure alike. The current invasion of Ukraine has many observers pointing to a potential wave of cyber-attacks as Russia seeks to punish the West using non-military means. Indeed, even President Biden was recently moved to issue a statement regarding his nation’s cybersecurity. Biden’s words were prompted by evolving intelligence that the Russian Government is indeed exploring options for cyberattacks against its perceived enemies.

The threat from Russia notwithstanding, never has it been more important for businesses to bolster their defences against cyber-attacks of any description.

In the UK, the Information Commissioner’s Office (ICO) takes a very dim view over companies who are ‘easily’ hacked. In one recent ruling, whilst accepting that the primary culpability rested with the attacker, a judge ruled that the legal firm in question had an exploitable weakness and was ultimately in charge of personal data. Specifically, the ICO noted that this firm had not used multi-factor authentication for remote access to its systems – even though this has been recommended since 2018. Apart from the fine that was issued for this breach, reputational damage must also be considered.

In the face of such multi-factor authentication advice, what part should passwords be playing in your organisation’s cybersecurity strategy?

In many cases, cybercriminals get their hands on passwords by means of some sort of phishing attack. Another approach is to pilfer credentials from an inadequately protected site and try them on another site in the hope that some may have been reused. Not having passwords then (in the traditional sense) would seem to make sense.

For the majority of businesses, managing passwords is a big headache and costly to boot. We have seen that passwords can be easily exploited by criminals so it seems logical you should investigate passwordless authentication. There are a number of advantages to living in a passwordless environment. Your people will enjoy a better user experience (no faffing about with forgotten passwords), easier management for the IT department, bolstered security, and less downtime time for workers – imagine the cost implications where a key fee earner is unable to access resources because of a forgotten password – time is money.

And a key driver to find a potential solution for many firms has been the uptake of mobile/smart devices. With more and more people relying on their mobile devices to get ‘work’ done, especially over the last couple of years due to working from home (WFH) and remote working practices, organisations have had to face fresh technology challenges. Under these conditions, asking your people to enter numerous passwords using a mobile device can be demanding and offer weak spots of entry to hackers.

And, worryingly, last year saw a massive surge in malware attacks against both individuals and organisations according to this report. What some are now referring to as the ‘COVID bounce’, meant that whilst 2020 was relatively quiet on the cyberattack front, 2021 saw year-over-year malware detections jumping by 77% – with business-focused threats rising by 143%. Mobile malware is becoming an increasingly everyday threat to firms of all shapes and sizes. Research indicates that the cybercriminal fraternity are increasingly expanding their tooling to target mobile devices.

Ransomware is a very real threat with attacks on the rise. The term is often used interchangeably with malware although security experts tend to view ransomware as a subset of malware. Those behind ransomware attacks are keen to target organisations that tend to hold/store very sensitive or classified data. Once attackers have gained full control of your organisation’s systems, ransomware will then restrict access to all your sensitive and confidential client information until you pay a ransom. If you have been hit by a ransomware attack you will usually wake up to a locked computer screen or realise that some, or all, of your files have been encrypted. There will usually be a demand from the ‘kidnappers’ of your data for a sum of money in exchange for a ‘key’ that will unlock your system and open your files. It is difficult to estimate how badly businesses are affected by ransomware attacks because many will happily pay a ransom to avoid any negative publicity glare – attackers are fully aware of this. And ransomware can strike via any device. They will happily restrict access to your desktop PCs, to any smartphones used by your people and even tablets.

With people needing to reach key resources from outside of the traditional network perimeters of yesterday, many of today’s smart devices have as much access to your organisation’s information as traditional endpoints. With remote working (even partially) becoming a reality for most now, it is a good time to evaluate your approach to mobile. The reliance on mobile devices continues to grow, usually with people using their own devices (or using personally enabled devices) to get their work done. And because most of these phones are not managed devices, the risk to your business is very real indeed.

So how can you best approach these new working conditions? A step in the right direction would be to consider adopting a ‘zero trust’ approach. Under these conditions, security is all about eliminating implicit trust – trust nobody (until you should). Zero trust empowers you to provide conditional access to sensitive data/information – as a result you only let the right person have access to the right information at the right time – no blanket access for all.

Password hacking is how most security breaches happen. They are certainly a weak point in computer systems and cyber-criminals regard them as soft targets. Weak or stolen credentials highlight the need for your business to rely on more than just passwords to secure your accounts, your inboxes and all your sensitive client information. Don’t give the ICO a reason to come knocking.