Should your firm ditch passwords altogether?

Cybersecurity is a priority for businesses and national infrastructure alike. The current invasion of Ukraine has many observers pointing to a potential wave of cyber attacks as Russia seeks to punish the West using non-military means. Indeed, even President Biden was recently moved to issue a statement regarding his nation’s cybersecurity. Biden’s words were prompted by evolving intelligence that the Russian Government is indeed exploring options for cyberattacks against its perceived enemies.

The threat from Russia notwithstanding, never has it been more important for the legal sector to bolster its defences against cyber attacks of any description. In the UK, the Information Commissioner’s Office (ICO) takes a very dim view over firms who are ‘easily’ hacked. In one recent ruling, whilst accepting that the primary culpability rested with the attacker. The firm in question had an exploitable weakness and was ultimately in charge of personal data. Specifically, the ICO noted that this firm had not used multi-factor authentication for remote access to its systems – even though this has been recommended since 2018. Apart from the fine that was issued for this breach, reputational damage must also be considered.

In the face of such multi-factor authentication advice, what part should passwords be playing in your firm’s cybersecurity strategy?

In many cases, cybercriminals get their hands on passwords by means of some sort of phishing attack. Another approach is to pilfer credentials from an inadequately protected site and try them on another site in the hope that some may have been reused. Not having passwords then (in the traditional sense) would seem to make sense.

For most firms, managing passwords is a big headache and costly to boot. We have seen that passwords can be easily exploited by criminals so it seems logical that firms should investigate passwordless authentication. There are a number of advantages to living in a passwordless environment. Your people will enjoy a better user experience (no faffing about with forgotten passwords), easier management for the IT department, bolstered security and less downtime time for workers – imagine the cost implications where a key fee earner is unable to access resources because of a forgotten password – time is money!

And a key driver to find a potential solution for many firms has been the uptake of mobile/smart devices. With more and more people relying on their mobile devices to get ‘work’ done, especially over the last couple of years due to working from home (WFH) and remote working practices, firms have had to face fresh technology challenges. Under these conditions, asking your people to enter numerous passwords using a mobile device can be demanding and offer weak spots of entry to hackers.

And, worryingly, last year saw a massive surge in malware attacks against both individuals and organisations according to this report. What some are now referring to as the ‘COVID bounce’, meant that whilst 2020 was relatively quiet on the cyberattack front, 2021 saw year-over-year malware detections jumping by 77% – with business-focused threats rising by 143%. Mobile malware is becoming an increasingly everyday threat to firms of all shapes and sizes. Research indicates that the cybercriminal fraternity are increasingly expanding their tooling to target mobile devices.

With people needing to reach key resources from outside of the traditional network perimeters of yesterday, many of today’s smart devices have as much access to your firm’s information as traditional endpoints. With remote working (even partially) becoming a reality for most firms now, it is a good time to evaluate your approach to mobile. The reliance on mobile devices continues to grow, usually with people using their own devices (or using personally enabled devices) to get their work done. And because most of these phones are not managed devices, the risk to your firm is very real indeed.

How can your firm best approach these new working conditions? A step in the right direction would be to consider adopting a ‘zero trust’ approach. Under these conditions, security is all about eliminating implicit trust – trust nobody (until you should). Zero trust empowers your firm to provide conditional access to sensitive data/information – as a result you only let the right person have access to the right information at the right time – no blanket access for all.

Password hacking is how most security breaches happen. They are certainly a weak point in computer systems and cyber-criminals regard them as soft targets. Weak or stolen credentials highlight the need for your firm to rely on more than just passwords to secure your accounts, your inboxes and all your sensitive client information. Don’t give the ICO a reason to come knocking.