0June 12, 2017June 12, 2017
In News

The One Vulnerability Cyber Thieves Are Desperate to Exploit

PasswordCybersecurity attacks are becoming more pervasive and seemingly effortless to pull off.  Cybercriminals who can execute a successful attack are seizing credit card numbers, bank account information and even Social Security numbers. A 2016 study conducted by the Ponemon Institute found that the average cost of a data breach is $4 million. You can strengthen your organization’s cybersecurity risk management plan by addressing this one vulnerability: weak passwords.

The capture or reuse of passwords, or “static credentials” as they are often referred to in the IT industry, is standard practice for organized crime groups and state-affiliated attackers alike, according to the Verizon 2016 Data Breach Investigations Report, whose list of contributors represents a “who’s who” of cybersecurity expertise worldwide, from both the private and public sectors. Likewise, passwords are used against all kinds of targets, from the largest organizations to individuals.

A common misperception is that cyber attackers have become so sophisticated that something as simple as a password is no longer effective. The tendency is to think that if federal agencies and multi-national corporations can be breached, there’s nothing individuals can do to protect themselves. This could not be further from the truth. Individuals have the most power in preventing attacks that exploit passwords, which is why a policy on passwords should be a key component of your firm or organization’s cybersecurity risk management program.

One of the ways cyber attackers breach systems is by using software that repeatedly tries combinations of letters and characters until it finds your password. Weak passwords are low hanging fruit for a password cracker. What’s a weak password? Generally, if your password can be readily found in a dictionary—or on the Internet—it’s weak. If your password is an easy-to-remember name such as that of a child, spouse, pet, car, person, or place—it’s weak.

Adding numbers to your pet’s name might help get your password approved by system validation requirements (e.g., “Your password must contain at least one uppercase letter, one lowercase letter, and one number.”). Unfortunately, with the strength of today’s password crackers, numbers alone, particularly those in sequence like “123,” provide little added protection.

Essentially, you want to fight password cracking technology with password protection technology. Random password generators use statistical methods to create passwords that are very hard to crack. “Wait,” you say, “I already have trouble remembering how many numbers I’ve added to my dog’s name.” Some password generators offer pronounceable passwords that, while not real words, are easier to memorize. Another option is to use an encrypted password manager on your smart phone, tablet, or computer. Because the password manager is encrypted, it cannot be accessed even if you lose your phone.

With cybersecurity threats on the rise, there is demonstrable need for both large and small organizations to have comprehensive cybersecurity risk management programs in place, and to assess and report on them using standardized tools such as the recently-released AICPA Cybersecurity Risk Management Reporting Framework.

The AICPA’s Private Companies Practice Section (PCPS) recently released the Building a Cybersecurity Practice Toolkit. It discusses services CPAs can provide to help clients apply the Cybersecurity Risk Management Reporting Framework, as well as other available IT frameworks, to their systems and implement within their firm’s systems.

Want to learn more about opportunities for CPAs in the cybersecurity space? Join us live from AICPA ENGAGE on Facebook Live Tuesday, June 13, at 2pm ET. Chris Halterman, Executive Director, Advisory Services at Ernst & Young will share his insights.

For more information on cybersecurity, visit the AICPA Cybersecurity Resource Center.

Kari L. Hipsak, CPA, CGMA, Manager – Firm Services, Association of International Certified Professional Accountants

Password protection courtesy of Shutterstock.



Source: AICPA