Why Poor Password Practices Are Financial Services Firms’ Achilles Heel

Assume employees are using weak or compromised passwords and take steps today to address password vulnerability.

Hackers exploit easy-to-guess passwords.

Financial services leaders are well aware of today’s security risks, with the CEO of JP Morgan Chase & Co telling shareholders that cybersecurity “may very well be the biggest threat to U.S. financial systems.” Companies are investing vast amounts of money to address these threats – for example, Bank of America’s security team has an unlimited budget. However, there are critical areas that many financial services organizations overlook: Password reuse and compromised passwords.

The average employee knows better than to reuse passwords across work and personal-use sites, but the human desire for convenience and efficiency will trump this knowledge every time. Case in point:

A cybercriminal can obtain a password from a data breach on one site. Then, because of password reuse, they can use that same password to access other sites and systems, including the sensitive accounts of financial services employees. This in turn can create another data breach and result in significant financial harm to an organization. Juniper Research predicted that by 2024, global organizations will face $5 trillion in breach costs, recovery fees and damages – up from approximately $3 trillion today, not to mention harder-to-measure damage to brand reputation and account holder attrition.

Unauthorized access to employee accounts can lead to data breaches, so organizations must secure employee accounts from the start, but it is unrealistic for organizations to expect employee password reuse to change on its own. Instead, organizations need to expect poor password hygiene from their users and revise password policies to mitigate this behavior.

Historically, the approach to handling compromised passwords has been to implement mandatory periodic password resets. The premise for this approach is that a compromised or bad password is valid for less time, giving an attacker a shorter window of time to attack. This worked well in the early 2000s when companies had a relatively small number of online accounts. However, today, with so many applications in the cloud, employees often access dozens of accounts on a daily basis. Mandatory password resets frustrate employees and increase IT help desk costs because so many users struggle with this password policy.

In addition to these headaches, there’s little evidence that frequently changing passwords increases security. In fact, most signs point to the contrary. Because it is hard to remember a new password every 42, 60 or 90 days, users are much more likely to use a simple password or password pattern that can be easily guessed. Because of this, the National Institute of Standards and Technology (NIST) recommended that companies no longer force a mandatory password reset. Microsoft is also advising organizations to stop this practice. Because of these recommendations, most companies are now moving to password policies that don’t expire passwords.

Due to the massive amount of breach data on the internet and dark web, many people are using exposed credentials, or some easily guessed variant thereof, and most are completely unaware of this fact. Further complicating the matter, employees tend to prioritize productivity and efficiency at work over security hygiene, which typically results in the creation of relatively straightforward passwords. Some organizations require passwords that contain capitalization, numbers and non-numeric characters. However, the average employee struggles to remember complicated, distinct passwords for each online account they use and often defaults to password reuse or, at best, partial password reuse, where a root password is reused with different variations. It is a trifecta of bad password hygiene:

So, what can organizations do to diminish the threat of password reuse without periodic forced password changes? As NIST outlined, when organizations stop enforcing password resets, they should adopt a method of preventing users from selecting commonly-used, expected or compromised passwords. As noted above, people tend to disregard the warnings against password reuse and frequently use the same one for both personal and work accounts.

As such, companies should take the first step in verifying passwords are not compromised when they are being created. Checking a proposed password against a database of known, exposed credentials gives financial services firms much more accurate and real-time protection than mandatory password resets ever did.

Additionally, in today’s heightened cybersecurity environment, it’s not enough for organizations to just screen employee passwords at their creation. To truly ensure the security of sensitive systems and data, they need an automated, ongoing ability to detect if a password has been compromised. With new data breaches coming to light every day, secure passwords deteriorate on a daily basis. As such, it’s vital for companies to check passwords against a live database rather than a static list of exposed passwords. If the password is found to be compromised, they should then have an immediate automated action to secure the account.

For financial services organizations, unauthorized access to employee accounts is a major concern. These companies can deploy countless cybersecurity solutions, but if the password layer is not secured, many of these investments will be rendered ineffective. Organizations need to assume their employees are using weak or compromised passwords and take steps today to address password vulnerability. Otherwise, they risk becoming the next financial services firm in the news due to a data breach.

Mike Wilson

Mike Wilson is Founder and CTO for Enzoic. He can be reached at 720-773-4515.

Recommended Stories