Don‘t ignore those phone alerts about passwords
Kiwis with iPhones who recently starting noticing alerts notifying them that their passwords are compromised should not ignore the alerts if they want to keep their details and account information safe, says SMB cybersecurity expert Daniel Watson.
"Some are ignoring the iPhone alerts, or they are suspicious of them, but it's a good thing that Apple is doing,” says Daniel. “There are many large databases of stolen credentials on the Internet, and these alerts let you know that you are compromised.
"When Apple, or any other large provider, queries a database of compromised credentials, they can alert their users. It is a warning to stop using a particular password or reset it completely – it's got nothing to do with iCloud itself."
Daniel Watson is author of the book 'She'll Be Right (Not!)’ – a cybersecurity guide for Kiwi business owners. He is also managing director of Vertech IT Services.
Having witnessed the hard work and assets of many SME businesses owners decimated by cybersecurity criminals, Daniel's mission is to protect the livelihoods and assets of business owners and their staff with guaranteed, but practical, cybersecurity services, education and information.
Daniel says the iPhone alerts notify you that your credentials, including passwords, are out in the world – where they are bought and sold on the dark web. Your usernames, emails and passwords are at risk of enabling more subtle cyberattacks rather than the brute force hacking attacks with which people are familiar.
"If you get a notification and you use that password – or any variations of it – you should change it immediately. If the platform or software related to the compromised password allows two-factor authentication, you should enable that as an extra layer of security."
Daniel says Kiwis tend to be lazy around passwords because they commonly use the same password, or variations of that password, across multiple sites.
"It's dangerous when you do that. I know it's a pain to have to come up with different passwords every five minutes and having to remember them, but there are password management tools that can help you with that for a relatively low annual subscription."
The Chrome web browser has a password management tool that is fine for individual users, but it's not robust enough for a company.
"Chrome is connected to Gmail, and that's usually linked to the staff member's personal account. It's messy," says Daniel.
Set password policies
Companies should specify how their software is accessed and not leave it to staff to figure out for themselves. Instead, set a policy that requires your team to use unique passwords for each application or platform.
Install a management tool
"Humans find it hard to remember passwords for a dozen websites," says Daniel. "Instead, provide tools like password management software to make compliance with your policies easy. If you do not, compliance will be low. People will use the same password over and over with minor variations. That means your business is not secure."
Have an exit strategy
Daniel says it is a common problem in New Zealand for departing staff to take their passwords and access credentials. These then remain in the system as dormant accounts and could be seen as low lying fruit for a disgruntled staff member.
"Make password protection a company level responsibility rather than leaving it to individuals. This makes it easy for staff to comply with security policies and enables easier exit of employees with less vulnerability later,” says Daniel.
"Have an employee exit procedure, which includes prompt notification to the IT support team, especially if you have outsourced your security. Integrate your human resources and information technology processes."
Daniel says most New Zealanders have likely had passwords compromised – both personal and work-related – but it's never too late to implement good password hygiene.
"Password management tools are low cost and easy. There's no excuse."
For more information visit: https://www.linkedin.com/in/daniel-watson-smb-cybersecurity-expert-07424b12/