Cyber breaches targeting accounting firms have been on the rise.
According to a 2022 report by the Association of Certified Fraud Examiners (ACFE), accounting firms experienced a 30% increase in cyberattacks compared to the previous year. As accounting firms handle sensitive financial data, it is crucial to prioritize cybersecurity and protect your organization from potential threats.
One of the most common vulnerabilities lies in poor password habits. By now, you would think people are well aware of the importance of password security but according to a 2019 Google poll, over 52% of users admit to reusing passwords and approximately 13% admit to using just one across all accounts.
In this blog post, we will discuss common password mistakes, the root causes of data breaches, how to create a password policy, and other ways to increase security.
Common Password Mistakes
- Using the same password for everything: This practice makes it easier for hackers to gain access to multiple accounts if they crack just one password.
- Varying the password by a single character: This minor variation does not provide sufficient protection against password-guessing attacks.
- Varying the password in a predictable pattern: Some people change one or two characters of their passwords according to the platform; For example, starting out with a G for Gmail, and using almost the same one but starting it with a Q for Quickbooks.
- Sharing passwords: Sharing passwords with colleagues or writing them down in easily accessible locations increases the risk of unauthorized access. What people don’t realize about this bad habit is that is even worse for the receiving part as they put themselves at risk.
- Using personal information in passwords: Hackers can easily obtain personal information, such as birthdates or pet names, making these passwords less secure.
- Passwords too short: Shorter passwords are easier to crack using brute force attacks. But what is a short password? Any password, no matter the platform should be at least 12 characters long.
- Changing numbers for letters: This common practice (e.g., using "3" instead of "E") might have worked for a while but it’s so common now that is easily predictable and does not significantly improve password security.
- Writing down and Storing passwords: Unencrypted passwords are vulnerable to theft and unauthorized access. To write them down anywhere is a risk. If you, or your employees, are those kinds of people to have a document or .txt file with the title “passwords” you are screaming to be hacked.
Why People Just Woun’t Make Secure Passwords?
The problem with password security boils down to human nature. Most people prioritize convenience over security, choosing simple and familiar passwords that are easy to remember. It's all about avoiding the frustration of forgetting complicated passwords.
We all know how important it is to have strong passwords, but when faced with the task of creating or entering one, many of us just don't follow through. It's not that we don't want to remember them; it's more about avoiding that moment of uncertainty if we can't recall them. The truth is, we often underestimate the risks and importance of password security. This poses a big challenge for companies trying to strengthen their security measures and get employees to adopt better password practices.
Unfortunately, his lax approach exposes organizations to heightened vulnerability to cyberattacks. To address this issue, it is essential to implement a robust password policy that balances security and usability.
Creating a Password Policy
A lot of companies enforce a 90-day password change policy in an attempt to enhance security. However, if your employees simply add an exclamation mark or make their passwords seasonal (e.g., January2023!, March2023!), this approach becomes ineffective. Password security needs to strike a balance between complexity and convenience. Here are some tips for a successful password policy.
Set requirements for passwords
Establish minimum length, complexity, and expiration guidelines for passwords. Encourage the use of a mix of uppercase and lowercase letters, numbers, and special characters. A good idea is to encourage employees to use phrases rather than random words as they are more complex to break out and easier to remember by the user.
Passwords should never be shared with anyone
Educate employees on the risks associated with password sharing and enforce a strict no-sharing policy. This includes a protocol to help employees who need to work collaboratively and what to do when they forget a password.
Make two-factor authentication mandatory
By requiring users to provide an additional layer of verification, such as a code sent to their mobile device or a fingerprint scan, the risk of unauthorized access is significantly reduced. It ensures that even if one factor (like a password) is compromised, the second factor acts as a safeguard.
Use a password manager for your firm
Password managers generate and store complex, unique passwords for each account, reducing the cognitive load on users and improving security.
Other Ways To Increase Security
In addition to implementing a strong password policy, some of these measures can help further enhance your organization's cybersecurity:
Provide regular security training: Educate employees on cybersecurity best practices, including how to recognize phishing attempts and the importance of keeping software up-to-date.
Monitor and audit user activity: Regularly review user activity logs to identify suspicious behavior and take appropriate action.
Implement a robust incident response plan: Develop a plan to address potential security breaches, including steps for containment, investigation, and recovery.
For over a decade, inadequate password management has remained the primary cause of data breaches, resulting in the theft of around one million passwords every week. The second most common method of breaching security is the utilization of stolen login information. A significant 85% of data breaches involve human-related factors like phishing, stolen credentials, and human error.
To address this issue, companies must find a secure approach that employees will willingly adopt. When establishing password security policies, it is crucial to consider the fact that the most robust system will be ineffective if employees work against it. Therefore, while companies should demonstrate to employees that good password hygiene and security can be hassle-free, they should also strive to strike a balance that suits their employees' needs and preferences.
Kevin Mitchell, CPA
Senior Manager and CPA with over 20 years of experience in accounting and financial services, specializing in risk management and regulatory compliance. Skilled in managing audits and leading teams to deliver exceptional services. Proud father of two.
Sources
Help Your Employees Make Strong Passwords a Habit. (2023, January 30). Harvard Business Review. https://hbr.org/2023/01/help-your-employees-make-strong-passwords-a-habit
Create Stronger Passwords for Enhanced Security. (2023, February 21). Business News Daily. https://www.businessnewsdaily.com/5597-create-strong-passwords.html
5 Tips for Creating a Strong Employee Password Policy - Digital.com. (n.d.). Digital.com. https://digital.com/best-password-managers/tips-for-creating-a-strong-employee-password-policy/
