Originally posted on https://spycloud.com/is-account-takeover-an-underrated-risk/
The Recurring Nightmare…
In a recent article by Bleeping Computer, a little-known fact was brought to light: security decision makers are focused on the wrong security issues. The article refers to a Symantec study that found cloud-based data breaches and malware are the primary threats keeping security leaders up at night. While these risks exist, they aren’t the ones making up 70 percent of the cyber incidents.
What are the so-called beasts under the bed? Symantec says they are “file camouflage, account takeover, and threats spreading laterally.” Account takeover (ATO), for instance, continues to plague the enterprise, yet only 7% of survey respondents cited it as a top concern, even though Symantec found ATO accounts for 64% of cloud security incidents. This poses a serious problem for the enterprise and a massive opportunity for cyber criminals.
The Account Takeover Threat Is Real
The 2019 Verizon Breach Report backs up these findings, discovering that of all of the 41,686 security incidents studied, 53% involved hacking, with the use of stolen credentials being the #1 hacking tactic for the 3rd year running. 28% involved malware. Clearly, decision makers need to adjust their priorities.
The SpyCloud Annual Credential Exposure Report revealed the recovery of nearly four billion compromised credentials from nearly 3,000 breached sources in 2018 alone. That’s four billion usernames and passwords at risk for being sold on underground markets or immediately used by bad actors. What are they doing with these stolen credentials? Frequently, they leverage these assets to take over accounts – business accounts included.
Many organizations wrongly believe account takeover is a personal matter that doesn’t impact them. So what if an employee’s Facebook account was breached? Unfortunately, because of password reuse across multiple accounts, a personal account that is compromised often leads to business accounts being at risk as well. Once a cyber criminal discovers these credentials and PII information, something they can easily do in only seconds, they can begin taking over the victim’s work accounts to access secure data.
This is why companies must shift their main focus from malware to protecting against account takeover. While data breaches set the foundation for account takeover, it’s what the cyber criminals do with their stolen data that should concern decision makers. They must take proactive steps to prevent account takeover if they want to protect their data.
BYOD Continues to Pose Challenges
The article highlights the challenges with BYOD and how corporate policies around it often put the organization at risk for ATO. When employees are allowed to bring their personal devices to work and access company data from anywhere using that device, it’s only a matter of time before cyber criminals take advantage of the opportunity.
But even as BYOD is a major security risk with which many companies are rightfully concerned, the WiFi networks and user passwords that are used on those devices and their apps should be of equal concern. With 35 percent of employees saying they store their work passwords on their personal devices, it’s easy to see why BYOD poses a serious threat for account takeover that implicates the enterprise. The Bleeping Computer article recommends companies establish “control points and strict BYOD policies that do not allow external devices that have not been sanctioned to run on the enterprise network.”
Yes, these policies are essential to protecting the enterprise but so too are employee education initiatives to drive home the importance of using strong, unique passwords on every account (personal and business). Guidance should be provided as to how to choose these passwords, even encouraging them and their family members to utilize password managers, if not outright providing that as an employee benefit. Employees must also understand the risk of accessing unsecured WiFi networks and how to protect themselves (and, therefore, the company) from a breach.
The strongest BYOD security strategy will include a policy that requires users to access company resources through proprietary apps developed in-house through encrypted connections. Only then can companies control how corporate data is accessed and prevent account takeover at the device level.
Gaining Peace of Mind
As cyber security threats and solutions continue to evolve, organizations must engage in a two-pronged strategy to include the underlying risks and their subsequent threats. Data breaches need to be stopped, but no company is impenetrable forever. As such, they must address the subsequent threat of account takeover once a breach occurs, even if the breach is not their own. Remember: when employees experience a password breach on any of their accounts, if they’re reusing that password on corporate accounts, the company is now at risk.
The solution isn’t simple. It requires multiple defense strategies that ensure proper focus is placed on the right threats. A myopic view of the issue can only lead to partial security. If security leaders want peace of mind, it is imperative that they broaden their view to better match the actual risks facing their enterprise.