You probably use hundreds of different applications and programs to carry out every day tasks. Each one of these applications present some level of risk to your network security, and as result every employee is required to set secure passwords to verify their access to them, from logging on to their computers, to opening their email accounts.

However, even secure passwords are no longer considered best practice network security. In 2019, Alex Weinert, The Director of Identity Security at Microsoft announced that pa$$words don’t matter, and advised that access to all systems should be backed up by a form of multi factor authentication (MFA). He argued that accounts using multi factor authentication as well as passwords are 99.9% less likely to be compromised. And now he has moved the MFA agenda forward again by saying that while any form of MFA is better than no MFA, SMS and voice call based MFA should be avoided at all costs.

Why secure passwords don’t matter for network security

Secure passwords have long been accepted as the standard form of protection for all online accounts, and an integral part of all network security practices. However they can be easily compromised, usually by some form of human error, whether from within an organisation, or outside of it.

Hackers have endless tools at their disposal to discover passwords, but often users make it easy for them to obtain and use them. Just some of the insecure password practices in circulation include:

Not changing the default password on systems and applications
Setting very simple passwords such as ‘password’ or ‘123456’ (don’t believe us – check this out!)
Reusing passwords across different accounts
Keeping the same password for months or even years without changing it
Writing down passwords on pieces of paper

All of these and more allow hackers to easily break into accounts.

Multi factor authentication – the present and future of network security

In response to these insecurities, many companies use multi factor authentication to verify user accounts and protect their network security. Multi factor authentication (also known as two-step verification) requires a second form of identification, usually in the form of a temporary code. One of the greatest benefits of multi factor authentication is that it is an accessible and inexpensive way to bump up user account security. But not all forms of MFA are created equal.

The most commonly used forms of multi factor authentication are SMS or phone calls over the mobile phone network. This is an easy way to get MFA buy-in, but it is also the most insecure format of multi factor authentication. SMS and voice calls rely on mobile phone networks for delivery to users. These networks are not encrypted, making it possible to intercept them en route. In addition, if mobile network coverage is patchy, they may never get there at all. This form of authentication can also be compromised by attacks on the publicly switched telephone networks and their staff, which give malicious actors access to the channels.

The alternative to phone based multi factor authentication is to use purpose built app-based authenticators. These authenticator apps are encrypted, meaning that even if they are compromised, the attacker will not be able to access the code. Authenticator apps generate codes on the device only, limiting the chances of them being compromised. And because they are mobile phone based, they can also use biometrics in order to access them in the first place. In short, they increase user security immensely.

Other forms of multi-factor authentication can include biometrics such as requiring a fingerprint scan in order to open an app or turn on a computer.

Maximising your network security

Ensuring your network is properly secured requires a combination of a strong password policy, clear access control policies (including multi factor authentication), and a comprehensive network security policy incorporating good technological controls to reduce reliance on individual users setting passwords in order to secure networks.

Utilise technology to protect your network security:

Implement perimeter and event monitoring that will detect and alert for unusual behaviour, including multiple attempts to enter a password, log in attempts from unexpected locations, and alerts when MFA is incorrect. Once detected, systems can be disconnected to prevent the attack from escalating or being successful.

Create strong access control policies

The more people who have access to a system, the higher the risk of compromise. An access control policy will ensure that guidelines are set for who accesses which systems, and also for ensuring that the accounts of employees who have left the organisation are closed to avoid them being compromised.

The principle of least privilege should be utilised to identify the systems that each individual needs to access in order to do their job, and only give them access to those systems.

Encourage secure passwords to improve protection against attack. The elements of a strong password policy include requiring users to change from default passwords, encouraging them to update it regularly (although not too often), information and advice about how to set secure passwords, banning simple passwords and more. And of course, implementing multi factor authentication.

Use other forms of authentication including biometric authentication using fingerprint, voice, or face recognition. These are stored on devices, making them impossible to crack.

Whatever you do, ensure that your network security is not compromised by human error alone, because at the end of the day, your pa$$word doesn’t matter.

Stay safe

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA-176747747-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
CONSENT	16 years 5 months	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Pa$$W0rD123: Why secure passwords alone aren’t enough to protect your network security

Why secure passwords don’t matter for network security

Multi factor authentication – the present and future of network security

Maximising your network security

Recent Posts

How to build a cybersecurity strategy for startups

ISO 27001 vs SOC 2 – Which is better for your organisation?

Encryption of data in use: A new standard in data protection

What is HIPAA Compliance for Startups?

Benefits of ISO 27001: Why you need a cybersecurity framework

Are you the weakest link? How to prevent software supply chain attacks

Services

Location & Contact Details

Stay Connected