They’re everywhere. It seems you nearly need one to go to the bathroom these days. Unfortunately though, they’re Essential. No, essential isn’t strong enough. They’re absolutely CRITICAL!
As you undoubtedly already know, these pesky passwords are quite literally the keys to the kingdom. You work with them, you bank with them, you store your online documents with them, you reveal your personal life on social media with them, you shop with them. In short you secure your whole digital world with them.
However we still deal daily with people who don’t seem to get what would happen if someone were to obtain their keys to their kingdom. If you re-use passwords at multiple locations (and we know none of you ever would 😉 ), it is trivial for someone to access passwords from a breach at one of those sites, and use a technique known as Credential Stuffing to compromise your other accounts. Once they have access to them, it all starts to unravel very quickly.
And let’s assume for the moment, that you truly don’t have anything important in your email or online documents (extremely unlikely, but for the sake of argument…) other people trust you. When you send an email to anyone you know, they assume that they can trust its contents. However, if your account has been compromised, all bets are off. But your recipients may not know this. We see this happen A LOT!!!
For the sake of brevity, please believe me when I say that ALL your online and computer passwords are critical. When they fall into the wrong hands, bad stuff follows. Incidentally, if you want to know if your passwords are already compromised (pretty good chance they are) head on over to Troy Hunt’s excellent HaveIbeenPwned (no that is not a typo) site to test your email and passwords.
So here’s what to do…
If you follow this advice, your digital world will be a lot more secure than it probably is now.
- Never reuse the same username/password combination on more than one site.
- So that means every site needs a different username/password combination. Every Single One! This is the most important thing to do.
- Obviously this means you can’t remember them all. So don’t! Use a password manager. We use, LastPass, but 1Password and Dashlane are also excellent. At the very worst, write them in a book. LastPass has a free option that is pretty good if you just want it for home.
- A good password is hard to remember. More than 16 characters with a combination of characters, cases, numbers, and symbols. (So use a password Manager!)
- If you must remember the password (very frequent use etc) use a few disparate words strung together. (e.g. “Ferrari desired-moolah,mi55ing” and please don’t use this one). Just something that you’ll remember, but would be hard to determine from knowing something about you.
- Use 2FA/MFA anywhere you can. This is something you you have. A Biometric feature, hardware token, Authenticator app, your location, text to your mobile etc.
- Don’t share your password with anyone.
And there you have it. Simple! Well maybe not simple, but free and achievable. And please persist with the password manager. They’re a pain for the first month, while you load them up with all your info. Then you’ll wonder how you survived without one.
TL;DR (Admins section)
However this only makes your passwords more secure. It does not secure your email system. If you are a business it is also critical to protect your email systems. Most people in business tend to use one of the following…
- Microsoft Exchange Online
- Microsoft Exchange On Premise
- Gmail (GSuite for Business)
- A “free” account that came with their website of outlook.com or similar.
- Remember if you don’t pay for the product, you are the product, so free is never free. In fact it is usually the most costly in the long run.
Not one of these common business options (which account for over 90% of business email throughout the world) come secure, as standard. When these companies build these apps they build them easy to access and simple. They don’t build them secure. They do this purely so you will adopt them. But they all require extensive alteration to make them more secure.
There’s not enough space here to go through how to effectively secure your email systems for every type of email system, so let’s just give some generalisations
- DNS: Secure your DNS. SPF, DKIM, DMARC and DNSSEC are all tools you have at your disposal for DNS protection. Use the ones most appropriate for your business.
- Link Scanners/Sanitisers: Put one on your system for added security. Put it on the Mail Exchanger. on the endpoint is not nearly as effective.
- Attachment Scanners/Sanitisers: As above
- Multi Factor Authentication (MFA/2FA). Use it!
- Biometrics are best IMHO
- U2F style tokens are a close second (Yubikey etc)
- Software tokens (authenticator apps) are next
- SMS code is okay, but still way better than no MFA
- Location based is also way better than nothing.
- Turn Off protocols not needed. e.g. O365 rarely needs POP3, iMap, EWS etc enabled, but they’re on by default.
- Alerting: Have your system send alerts if anomalies happen.
- Privilege escalation,
- forwarding rules added
- Delegation changes
- Logins from multiple locations
- logins from unusual locations.
- TOR access
- Change in protocol availability
- Regular auditing of the system for security issues.
- You will have noticed by now that if your system doesn’t support these features (very few free ones do) it may be time for a new Mail Exchanger system.
All this will go a long way towards keeping your users far safer than an out of the box system. And most cost very little or nothing! Now you can turn your attention to your wider Business and systems Security.
You can also call and speak to us to assist with a security audit and assistance with implementing a CSF (Cyber Security Framework) for your organisation. It costs very little and will make an enormous difference to your business’ security and hence, bottom line.