Cybersecurity tips to help safeguard employee credentials from theft and fraud.
For cybercriminals, getting possession of an employee’s computer credentials can deliver a profitable strike to the heart of a company, putting its business systems, applications, and sensitive data at risk. Knowing the credentials of employees—especially those with privileged access—can give threat actors an all-access pass to a company’s digital assets. It’s no wonder that theft of employee usernames and passwords has become one of the leading causes for security breaches, responsible for 19% of all global incidents in 2022, according to a study by IBM.
The cost of these cyber intrusions can be significant: Identity fraud losses in the U.S. reached $20 billion in 2022, according to Javelin Strategy and Research, which tracks cyber financial losses. By individual company, IBM estimates that breaches attributed to compromised credentials cost an average total of $4.5 million.
These costs are also rising because attacks on credentials are typically difficult to detect and remedy. In fact, cybercrimes attributed to stolen or compromised credentials take the longest time—an average 327 days—to identify and contain. That gives cybercriminals plenty of time to move across networks to build potentially intrusive and destructive infiltrations.
The Consequences of Credential Theft
Credential theft is often an early salvo in a complex cyberattack. It can be especially dangerous because privileged account credentials, which provide elevated access and permissions, can help diminish cybersecurity across a business’s extended systems and networks. Once inside, criminals can bypass cybersecurity safeguards to install back doors and malware to clandestinely swipe employee and customer data. They can also block user accounts, change access to systems and applications, and reset passwords.
These risks can cause operational disruptions, financial loss, theft of sensitive data, damage to IT assets, and costly harm to a company’s reputation and brand.
How Criminals Gain Access to Credentials
The ways in which cybercriminals can use credentials to access your business systems and steal information and money are multiplying. Here are some of the top threats to be aware of:
- Phishing: Credential theft often begins with phishing scams, which use trickery to get employees to click a link in an email or text. The reason is simple: This type of social engineering scheme is inexpensive, efficient, and is often successful. In 2022, for example, hackers launched a phishing attack on Klaviyo, a midsize email marketing firm. They convinced an employee to hand over their login credentials and used this information to infiltrate the employee’s email account and company support tools. This enabled the cybercriminals to download product and marketing information, as well as pilfer customers’ personal information, including names, addresses, email, and phone numbers.
- Search engine ads: A similar technique that’s on the rise is use of search engine ads that masquerade as brands and send users to credential-stealing sites. Here’s how it works: Threat actors purchase keyword ads that are displayed alongside search results. When users search for specific words or phrases, search engines return fake ads that look very real and link users to malicious sites that steal personal logins and data. These types of ads have been found in business-to-business online banking portals and treasury management platforms.
- Compromise of RDP credentials: Another frequent infection method is the compromise of Remote Desktop Protocol (RDP) credentials. RDP is a Microsoft communications protocol that allows devices to connect remotely. IT administrators often use RDP to establish secure remote connections to help employees solve technical support issues. Nonetheless, cybercriminals can use employee credentials to infiltrate the connection and plant malware into the remote computer.
"The proliferation of RDP attacks represents a significant cybersecurity risk to businesses because once a threat actor gains access via the RDP protocol, they can move laterally across the network and remotely carry out ransomware attacks, install malware, steal data, and take down business systems," said Tom Scarborough, Senior Vice President and Senior Director for the Extended Security Program at Fifth Third Bank. "What many businesses don’t realize is how risky the use of RDP is and that protecting against RDP attacks only requires basic cybersecurity hygiene such as the use of multifactor authentication, strong password policies, configuring account lockout policies, and proper network segmentation. It doesn’t require complex and costly technology tools to get started."
- Credential stuffing: This technique remains a go-to attack vector. Cybercriminals capture username and password pairs from compromised websites and services, then use bots to run lists of these credentials to scour login portals for matches to gain access to user accounts. Credential stuffing is effective for a simple reason: Employees reuse login information across multiple sites and services. The impact can be significant. Consider, for instance, the wedding planning and registry site Zola. Hackers used credential stuffing to hijack user accounts, steal funds, and capture payment card numbers to charge thousands of dollars in fraudulent purchases. While the company says the hack affected fewer than 0.1% of all users, the attack created a public relations and reputation problem for Zola.
- Weak passwords: Cybercriminals know that employees continue to use weak passwords because they are easy to remember. Worse, 52% of people reuse the same weak passwords across multiple accounts, making it easier for threat actors to identify and steal user credentials. Strong passwords serve as the first line of defense against unauthorized access, and one of the most effective solutions are automated password managers. These tools automatically generate complex, random passwords that can be synchronized and used across multiple devices to defend against intrusions.
Other ways that threat actors gain access to employee credentials include:
- Purchase of stolen credentials on the dark web, where illicit transactions take place.
- Exploitation of default login usernames and passwords.
- Open ports and misconfigured services that are exposed to the internet.
- Compromise of remote services such as virtual private networks (VPNs).
- Abuse of administrative privileges by company insiders.
How to Secure Access to Systems and Files
The rise of hybrid work and the continued proliferation of cyber breaches have elevated the importance of user access controls. These access controls are a key component of identity and access management (IAM) solutions and should be reviewed and updated regularly. Controls should be developed that grant employees access only to digital assets required to perform their jobs, a restriction known as the principle of least privilege access.
Businesses can augment IAM capabilities with what’s known as role-based access control (RBAC), which grants authorization based on a particular employee role. These role-based controls deliver access control and enforcement based on a dynamic risk assessment that parses user behavior and contextual data analytics to determine risks. RBAC also encompasses processes for the hiring, separation, and internal transfer of employee credentials.
Other best cybersecurity practices include:
- Separation of administrator and user accounts to protect privileged credentials.
- Periodic reviews of employee access settings.
- Monitoring of leaked credentials on the dark web.
How Midsize Businesses Can Secure Credentials
Cybercriminals often target small and midsize businesses because they often lack an in-house cybersecurity team or technical experts. Nonetheless, there are plenty of non-technical safeguards that can help protect employee credentials.
Among the most effective is security awareness training for employees. Workers should understand how to spot potential phishing scams as well as have knowledge of basic cybersecurity hygiene. Also essential: up-to-date training for IT and cybersecurity staff, as well as having trusted third parties with access to your systems and network.
It’s also critical to create and enforce policies mandating strong passwords for employees. Businesses also should change the default admin login credentials when deploying new hardware and software. There should be a system in place to inactivate credentials of employees leaving the firm.
In addition, a number of common technology safeguards can help protect credentials. Multi-factor authentication, which typically sends a code to a smartphone, is key to shielding information, particularly for remote workers. Antivirus solutions can help detect and remove malware, while a web application firewall can help identify suspicious login attempts and botnet activity. Other best practices include:
- Giving employees access only to the data, applications, and systems they need to perform their job.
- Developing policies for securing employee devices.
- Keeping operating systems, software, and devices up to date.
- Using a firewall and VPN to mask your IP address and encrypt data.
- Limiting the number of authentication attempts and freezing accounts after repeated failed login requests.
If companies follow these basic cyber-safety precautions, they can greatly reduce the chances of employee credentials being compromised and avoid the expensive and painful effort needed to remove cyber villains from their systems. Most of these are easy to implement but need to be repeated frequently to keep employees vigilant.