Companies and third party vendors researching vendor risk management and vendor risk assessment tools for the first time are usually motivated by Zero Day (or 0 day) attacks that make the most noise in news and corporate circles.
Cyberattacks, ransomware, and vulnerabilities are so common (and so scary) that it’s easy to understand why CISOs and cybersecurity managers are expected to focus on these big threats.
But just below the major headlines, it’s easy to overlook another–more common–cybersecurity risk: data breaches. Data breaches are events where an unauthorized person gains access to sensitive data and discloses it. In essence, anytime an attacker is able to view, edit, and/or share someone else’s private data, it’s a data breach.
What data breaches lack in headline power, they make up for in staying power. According to Fortune, data breaches are steadily increasing, with 2021’s total reported breaches surpassing 2020’s by October. If trends continue, 2022 (and beyond) could be another record-breaking year for data breaches.
What do data breaches have to do with passwords?
Data breaches are often thought of as “hacks.” The problem with such terminology is that it can give the impression that unauthorized parties are forcefully gaining access to data through some back door (perhaps a flaw in the code or embedded malware.) While that may indeed be the case, these attackers would much rather use the front door of company systems.
Passwords are the vulnerable front door to a company’s data.
Passwords–whether alphabetic, numeric, or alphanumeric–are the piece of cybersecurity that we and our employees use every single day. Most of us can’t even open our phones without entering a password (or a passcode as the case may be.) While some of us use features like FaceID or Touch ID to access our systems and our data, the simple combination of letters and numbers still rules the day for most personal machines.
And, since the pandemic has forced a great many employees to work remotely or permanently from home, every device has the potential to be a “personal” device, used in the office, at home, a coffee shop, or any number of places. Needless to say, most companies did not plan for that kind of exposure or increase in their inherent risk.
How are passwords inherently flawed?
In early 2022 we invested in researching how everyday computer users interact with their passwords. What we found led us to one very important conclusion: passwords are only as reliable as the people who use them.
And, unfortunately, a lot of people just aren’t very reliable with their passwords.
For instance, 76% of users we surveyed reported that they only changed their passwords when they absolutely had to. Many systems, like email services, will time people out, forcing them to change their passwords every few months. But if systems aren’t programmed to do so–or if companies don’t enforce a similar rule–only 24% of people will proactively keep their passwords safely updated.
Meanwhile, less than half (42%) of the users we talked to said they use unique passwords for each system. Nearly 60%, then, reuse the same passwords on each site, or change only a few letters to protect different machines and systems.
If companies think that employees and third party vendors will be more careful with their data than those same people are with their own personal photos, finances, and documents, they should consider establishing clear and consistent password protocols.
How should passwords be a part of TPRM?
Third party risk management (TPRM) tools like ThirdPartyTrust can help companies keep track of important assurances and compliances like NDAs, pen tests, and popular assessments like SIG.
Credential security measures can, and should, be included with any custom third party risk assessment. Compliance processes like SOC 2, for example, ensure that individuals are using security measures like antivirus software to keep company resources safe.
Beyond that, companies should treat password protection as the important cybersecurity measure it is. While personal phones may ask for biometric data like facial recognition, company systems, too, can utilize this technology or require one-time passwords (OTP), time passwords (TOTP), or multi-factor authentication (MFA) on top of providing employees with password keychain software to make passwords less onerous.
A third party data breach, or vulnerability within the supply chain, can happen to any company at any time. As remote work and cloud access proliferates, companies need to be as aware of massive cyberthreats as they are the sundry (and often overlooked) cybersecurity tools that employees and third party vendors use everyday: passwords.
Protect your supply chain from exposed credentials
Our survey found that 76% of users change their passwords only when they have to. Are your vendors enforcing security standards that keep your business safe?
Get the latest research on password usage and learn how to protect credentials across your supply chain.
