How Password Managers Help Meet Cybersecurity Requirements

The first Thursday in May is World Password Day. This is a good opportunity to look at your cybersecurity practices and privileged access strategies.

As cyberattacks increase, more organizations are choosing to get some peace of mind by acquiring cyber insurance to mitigate liability and losses in case of an attack. However, getting cyber insurance may not be an easy exercise. Due to increasing numbers of claims over the past few years, insurance companies have reworked the criteria for acquiring cyber insurance and required organizations to demonstrate their ability to fend off ransomware attacks with a wide array of security controls.

What requirements must be met to qualify for cyber insurance coverage?

Common cyber security insurance eligibility requirements include:

• Antivirus software installed on all PCs
• Patch management to ensure critical updates are applied on time
• Firewall protection for the company network
• Backup and data protection using a secure cloud service
• Regular vulnerability scanning or penetration tests
• Endpoint protection and intrusion detection to stop attacks
• Official certifications such as ISO 27001 or NIST CSF compliance
• Multi-factor authentication for admin and other privileged accounts
• Actively managed and routinely audited user accounts and permissions
• Regular security training for employees

The goal of cyber insurance requirements is to increase resilience of different attach surfaces within the business’ environment. The last three items on the list are related to the identity attack surface and the human risk.

Related Product

Passportal

Ayude a proteger las credenciales a través de la administración de contraseñas y documentación para los negocios de MSP.

Más información

A Security Reality Check

A 2020 Ponemon and Yubico survey uncovered the following worrying trends when it comes password usage:

• 50% of IT professionals and 39% of individual users reused passwords across workplace accounts. If a hacker gets their hands on one password, it simultaneously puts multiple accounts at risk of data breaches and cybercriminal intrusions.
• Equally concerning is that only 40% of IT professionals use MFA.
• One final mind-blowing finding: 35% of IT Security pros did not change how they manage their passwords even after experiencing an account takeover or hacking.

How often do small businesses perform staff security training?

Many SMBs (up to 100 employees) and SMEs (those with 100 to 1000 employees) don’t realize how easy it is to find credentials on the Dark Web and exploit them. As user access provides the way that company systems and resources are accessed, attackers tirelessly try to compromise those accounts by making use of the 24 million credentials for sale on the Dark Web in 2022, according to Account Takeover in 2022 report by the Photon Research Team.

According to an article in Privacy Affairs magazine, login credentials for banks or financial systems sell for between $15 and $1000 on the Dark Web if compromised, credit card details with CVV start at $15 while social media login credentials start at $1.

SMBs and SMEs do not appear to have what they need to prevent attacks, lacking internal resources, cybersecurity plans and budgets. According to KnowBe4, 40% do not conduct regular training, 16% only perform ad hoc training, and 9% only push training when an incident occurs.

The Human Factor in Security Breaches

If a privileged user makes a mistake or an attacker gets access to a privileged account, the most valuable data is at risk. Insider threats are defined as attacks where legitimate users leverage that access, either maliciously or accidentally, and ultimately cause harm to the organization. This type of threat can come from a current or former disgruntled employee, or from a third-party contractor or vendor who used a co-shared account and its access has never been removed.

According to the 2021 IBM Security X-Force Insider Threat Report, 40% of security incidents involved an employee with privileged access to company assets.

Manual and browser-based password management methods increase risk

According to recent stats, SMB and SME employees have an average of 100 passwords. Let’s be honest, this seems like a lot to manage. So how are people managing these? You have a number of different options:

• Memorization: Some employees may rely on their memory, which involves remembering complex passwords for multiple accounts. However, this can be difficult and time-consuming, especially when employees have to change their passwords frequently.
• Writing down passwords: Some employees may write down their passwords on a piece of paper or in a notebook, which can be a security risk if the book is lost or stolen. It can also be difficult to manage and organize a large number of passwords this way.
• Saving passwords in browsers: Some employees may choose to save their passwords in their web browsers, which can be convenient but also a security risk. Browser-based password managers are vulnerable to browser-based attacks, such as malicious browser extensions or cross-site scripting (XSS) attacks, which can allow attackers to steal stored passwords. If the browser is compromised, the saved passwords can be easily accessed by hackers.
• Using a password manager: Many employees are turning to password manager solutions to manage their passwords. These tools store passwords securely and can generate strong, unique passwords for each account. This can eliminate the need for employees to remember multiple passwords and can improve overall security.

Using a password management solution increases both security and efficiency

There are several reasons why enterprises need to use a password manager solution:

1. Improved security: Password manager solutions help enterprises improve their security posture by enabling users to create strong, unique passwords for each account. This eliminates the need for users to remember multiple passwords and reduces the risk of weak passwords or reused passwords being used, both of which can be easily compromised.
2. Centralized management: Password manager solutions enable enterprises to manage passwords centrally, ensuring that password policies are enforced across the organization. This can help to reduce the risk of data breaches caused by weak or compromised passwords. Moreover, this allows the IT manager to give end users a secure place to centralize corporate and personal credentials, and set up folders to organize them, not leaving anything exposed.
3. Credential discovery and automation: This helps to automatically discover new Active Directory accounts and password changes, implement password rotation and role-based access. It also empowers the IT manager to remove access when deemed necessary and prevent unauthorized logins.

Cyber insurance providers typically evaluate an organization’s overall cyber risk posture when determining the premium and coverage offered. Using a password manager can be a positive factor in this evaluation as it demonstrates that the organization is taking steps to mitigate the risk of password-related attacks. This coupled with employee education and training on the risks associated with poor password management can help enterprises to improve their security posture, and ensure compliance with regulatory requirements as well as requirements for insurance coverage.

N‑able Passportal helps IT teams prevent and avoid network security threats. It does this by securely storing and managing credentials for online and offline applications and safely sharing login credentials. Additionally, Passportal Site add-on provides end-users the ability to efficiently manage their own passwords. 

Marilena Levy is Senior Product Marketing Manager at N‑able