SMBs have become a prime target for hackers and companies are investing significant sums to protect their sensitive data. According to a recent survey, 89% of SMBs see cybersecurity as the chief or a top-five priority in their organization. 79% plan to invest more in this area within the next year. According to insurance carrier Hiscox, the severe consequences of cyberattacks are growing with digital incidents now costing all businesses $200,000 on average. In this race to address existing vulnerabilities and protect against emerging threats, there is a simple, yet critical area that is often overlooked: password reuse and the sharing of passwords between personal and work accounts.
It’s a security necessity to encourage employees to create strong, unique username and password pairs for each online account. In reality, however, employees generally prioritize productivity over security hygiene and also struggle to remember complicated, distinct passwords. As a result, most users create relatively simple passwords and reuse these credentials across multiple accounts—both personal and professional. According to Google’s research, 65% of people reuse the same password for all or most of their accounts, with another study finding that 62% of employees use the same password for their personal and work accounts.
In this environment, a cybercriminal can simply obtain a password from a breach on one site and then use the password to access other sites and systems—including those containing your most sensitive business information. With new breach data becoming available on the Internet and Dark Web constantly, compromised credentials also have a long tail effect. According to research from Virginia Tech University, 70% of users employed a compromised password for other accounts up to a year after it was initially leaked with 40% reusing passwords which were leaked over three years ago.
SMBs are often at a disadvantage when it comes to spotting account compromise because they may not have the staffing and budgeting in place for robust security monitoring. Unlike larger organizations, many small businesses don’t have numerous security protocols and policies in place to protect their data. In addition, breaches at larger institutions are more likely to be uncovered externally, either because these companies employ breach detection tools or because word spreads faster on large breaches or leaks from the hacker community to the general public and media.
The implications of being unaware of breach activity are significant. Evidence shows that companies are often repeatedly breached over the course of months or, sometimes, years—presumably because they were oblivious to the first breach and the vulnerability remained for hackers to continue to exploit. The common thread for a lot of these breaches is passwords. According to the Verizon Data Breach Incident Report, compromised passwords are responsible for 81% of hacking-related breaches.
As such, it’s critical that SMBs take action to ensure password security. Part of this is recognizing that employees will likely continue to create relatively straightforward (weak) passwords and share them across work and personal sites.
Screening for compromised passwords at login allows SMBs to abandon the uphill battle against poor security hygiene. By checking proposed passwords against a database of known, exposed passwords, companies can ensure real-time account protection without hindering productivity or placing an undue password complexity burden on users..
With breaches occurring on a near real-time basis, it’s not enough to just check for compromise at a password’s creation—SMBs must have an automated, ongoing ability to assess password security every day. Automation of this function reduces the drag on limited IT staff or MSPs. Screening for compromised or unsafe passwords will eliminate the pervasive threat of password reuse from old breaches, as evidenced in the Virginia Tech report.
SMBs can invest in countless cybersecurity solutions but, if employees continue to use weak or compromised credentials, these companies will continue to fall prey to attacks. Ramifications from data breaches include financial repercussions, loss of customer loyalty and damaged business and partner relationships. For many SMBs, this pressure is too much to withstand—one study found that 60% of small businesses fold within six months of suffering a breach.
As such, it’s imperative that SMBs are aware of the inherent vulnerabilities and persistent practice of password reuse and take steps to address them today.
Michael Greene is the CEO of Enzoic.