Close

Aura's Peter Bailey on staying safe from spambots

Yesterday it was reported that more than 700 million email addresses, and a number of passwords, have been leaked in what is already being referred to as one of the largest spambot dumps the world has ever seen.

At present, it is believed the data dump originated via a spambot called Onliner. Security experts are advising those affected to change their passwords immediately to reduce the risk of further penetration.

This recommendation begs the question – what makes a secure password?

Aura Information Security’s general manager Peter Bailey says: "While security experts have been talking to people about securing their passwords for years, it is still one of the easiest points of access for hackers to use. Too often passwords are written down, reused or too easy to hack."

Passwords are the gateway to you and your companies’ private materials, but the importance of password security is often overlooked – which can lead to increased cyber security risk for businesses.

Here are six tips from Bailey to help make sure your email doesn't fall victim to a spambot:

  1. Use a password manager

A good password manager, which is essentially a vault that stores all your passwords in one place and is protected by a master password, will help to make the task setting strong, different passwords for multiple accounts far easier. These password managers rely on you setting a very strong master password, so Aura recommends using a “passphrase” as this master password – that is, a sequence of four or five words. These days, it’s length, not complexity, that makes a good password, so try to choose longer words that aren’t predictable or easy to guess. Fortunately, it will be the last password you have to remember, as most password managers include password generators to create strong (long and complex) passwords for you, so you’ll never have to look at or type in another password again.  There are lots of options out there, ranging from online solutions such as 1Password or LastPass, to the more technical solutions such as KeePass. Most solutions provide mobile apps as well, so you can manage your passwords on your iOS or android devices too.

  1. Use two-factor authentication where it is available

Where two-factor authentication is offered (even Facebook offers it these days), make use of it. Two-factor authentication combines username and password (factor one) with a second level of verification, like a TXT code to your mobile or a 2FA code generator such as Google Authenticator (factor two).

  1. Don’t reuse passwords

If a hacker does manage to access your business password, having the same password for everything could spell disaster. The same goes for employee passwords, sharing passwords between their personal and business accounts increases the chances that the password could be compromised. It’s best practise to have multiple passwords, to minimise the potential impact on your business should one password be discovered.

  1. Never disclose or share your credentials

Cyber criminals are getting more and more sophisticated, but the same trick that has been used for years by hackers is still the most effective: social engineering. In other words, tricking an employee into clicking on an infected link, revealing a user name and password or paying an invoice that looks like it has come from a legitimate source. Good security starts with staff education and effective security policiesand that includes never revealing your passwords to anyone, or including passwords in documentation (emails, work instructions, application user guide etc.).           

  1. Ensure your employees understand cyber security

Most security breaches can be attributed to employee error…or ignorance. Employees who use weak passwords or use the same password across personal and work accounts can prove to be the weak spot that hackers use to penetrate your business. To ensure your business fosters a culture of cybersecurity awareness, regular training and education is key. If you don’t have a CISO to help lead the charge, there are some great online tools and employee checklists available from sites such as ConnectSmart.govt.nz and cert.govt.nz. Aura also recently launched its e-learning tool, which is designed to provide businesses with the ability to train and educate staff whilst also identifying areas for improvement.

  1. Make your password complex, but easy to remember

Previous advice has recommended combining upper and lower case letters, using number and symbols when creating your password. The inability for people to remember these complex passwords ends up putting individuals at higher risk of cyber hacks – by writing down your password in order to actually remember it, you’re opening yourself up to more threat. Instead, think of an easy-to-remember phrase or word combination. Lyrics of a song, a short quote from a movie or book, or even a dinner dish are good options to make your password complex enough to deter hackers, but still easy to remember.