Industry News

Risk Management Industry News for FCA Regulated Businesses

Online Risk Management Begins With Passwords

Posted by Serina Gill on 08-Sep-2017 15:02:54

shutterstock_530339407-174639-edited.jpgWork and home lives can be so frenetic that most people tend to use the same or similar passwords - and when it’s said the average person has around 26 log-ins, this is hardly surprising.

But risks are increasing, and according to Cifas, identity frauds have soared by over 68% since 2010. So, risk managers may well find this is a prime time to provide employees with a refresher on password and email security.

It may seem simplistic, but basic lack of awareness can make it a lot easier for fraudsters. Indeed, the 2017 Verizon data breach report said 81% of hacking-related breaches employ either reused/stolen passwords.

So, whether used for online banking, shopping sites or social media, having secure passwords is essential, both in their construction and in allowing them to be easily accessed, which means avoiding notes stored on a mobile phone or on emails.

Don’t be a victim of credential stuffing

Cyber criminals are able to use automated scripts to test credentials – such as passwords and log-ins - against target websites. The same log-ins and passwords they test out can be found as a result of data breaches – such as through compromising an email account - or purchased on the dark web.

In terms of email security, employees must be aware of phishing risks and how this is becoming increasingly sophisticated. More people are aware of fake bank emails, but increasingly, phishing emails could come from a trusted retailer offering what looks like a tempting offer or even a contact’s name, which the fraudster has hi-jacked. Clicking on the link contained in the email is likely to contain malware, which allows the fraudster access to the email account.

Once in, this often is treasure trove, since it’s very common for people to provide financial information that could be useful for criminals in their emails, for example, when passing on details to friends, family and businesses and fraudsters can supplement this with social media data too.


shutterstock_277866641-217765-edited.jpgSocial media risk

The burglary at footballer John Terry’s home apparently took place because he’d announced on Instagram he was away skiing – so this should also remind those using social media to limit the information they put out there.

Over 55s are more careful

Overall, the message needs to be that everyone should guard against complacency. It’s believed younger people are more web-savvy, but in fact they may be more careless when it comes to their passwords. Research by Experian found that a quarter of those aged over 55 had at least 11 unique passwords, whereas those under 30 rarely had more than five.

Any briefing given to employees should be for those at all levels in the business and that includes those in senior positions. Research from Cifas showed that one in five of all identity frauds were against company directors.


What makes a secure password?

The following are useful pointers:

  • Short simple passwords such as a pet’s name are generally unsafe.
  • Experts say eight characters with a combination of random words, using upper and lower case letters and numbers.
  • Using characters from a memorable sentence or saying can be turned into a strong password.
  • While having individual passwords for each log-in, the main ones to prioritise are banking, work and email
  • It’s recommended that passwords should be kept on paper but locked away, rather than held online.

Data security experts are already talking about the death of passwords and the rise of biometrics – so unique identifiers, such as fingerprints, voices and selfies are set to become the way of the future. But, these are not foolproof and pose their own risks – so until these reach wider adoption, for the time being it is the humble – but hopefully hard to hack - password that will remain on sentry duty.

Four Practical Ways to Monitor Risk Appetite