Most of us have access to the internet in some form or another, and we use this not only for informational purposes but for day to day life.
Organisations across the world thrive online, and it is becoming essential in all areas of business. With the number of people around the world using the internet growing to 4.54 billion in 2020, more protection is needed to safeguard customer data from online web-portals.
Within this Blog, you will learn about web-based portals, how attackers get into them using an attack vector called “Brute-forcing,” and how to use them safely to protect your customer data.
Seismic digital change is happening
Businesses across the world are finding ways of moving their products online for the obvious benefits of broadening their reach and brand appearance online. Books are struggling to sell in favour of the lower–cost digital versions, houses are selling online through firms like Purple Bricks, so the estate agent industry is having to adapt.
Although digital progress is great for many businesses and makes us more efficient, the focus on cybersecurity needs to be strengthened to prevent businesses from falling victim to data loss and network breaches.
Your current method
Most online portals simply require the “user” to register with a username and password, the service is then fully available. Staff create online accounts using their credentials, then they navigate the system, upload corporate data, or link in external applications such as CRM’s.
The security of that system and how the data it will have was not part of that decision-making process when registering. This raises many concerns for GDPR (General Data Protection Regulation).
Once employees have finished their shift, they go home. They may have entered your customer’s full name, postal address, date of birth in your new online web-portal, the only thing protecting this is an email address and a password that has been used across 1000 online accounts, as remembering unique passwords for every online account is impossible to manage.
Now, what if?
What if, that night, the website your employee entered the customer data to was compromised. Over 50% of businesses has reported that they have had an attempted attack in 2019 on their systems. It is not as uncommon as you would think.
And what happens to your business?
You would have to notify your customers that you had lost their data. How would that affect your reputation, revenue, how much would you lose? In our earlier blog, “What is The Real Cost of a Data Breach” we found out that “29% of businesses that face a data breach end up losing revenue. Of those that lost revenue, 38% experienced a loss of 20% revenue or more.”
It is time to investigate.
You would begin an investigation into how this happened. But you find out that the person setting up that account had used their usual password, but their usual password is “safe” because they use a capital letter, and a distinctive character, so it cannot be them…… Can it?
But how did they do it?
As quickly as technology is evolving for the benefit of businesses across the world, it is also evolving for cybercriminals to compromise your data.
Cybercriminals have many tools at their disposal. One common tactic used by Cybercrimals is called a brute-force attack. With one click of a mouse, their system will go through every character on a keyboard and enter it into your web-portal until it gains access. With the literal click of a button, an attacker has your company data
How do I prevent this from happening to me?
Luckily, there are many things you can do to prevent this from occurring.
- Give more emphasis on teaching employees to consider how a web-portal processes and stores that data.
- Do they encrypt my data end-to-end?
- Do they have provisions in place to prevent failed login attempts?
- If you can use up to 15 characters, adopt the NCSC (National Cyber Security Centre) guidelines of “ThreeRandomWords” to generate a unique password.
Tip: If you utilise a secure password manager (LastPass, Keeper, etc.), generate longer passwords. The longer the password, the longer it would take to crack.
The Champion of Password Protection
Increasingly, online portals are now offering multifactor authentication (otherwise known as MFA or 2FA (Two Factor Authentication).
MFA supplies a one–time passcode (OTP) for every login that changes every 60-seconds. This means that if a password and email address is compromised, the cybercriminal still would not be able to get access to your systems. The best thing about these Apps is, they are FREE, and they are simple to use.
Google Authenticator or Microsoft Authenticator are widely used throughout the corporate world to secure web-portals.
From an operational control perspective, passwords and logins can be governed by Policy and a Software register. If a staff member were to leave, you can refer to this register to remove the account.
Play our 10 question Phishing quiz!
If you don’t get 50/50, you may need our help.
OrTake the quiz in full screen