NIS2, Are you on scope?
Belgium's new cybersecurity law enters into force. Check it out now.
Cloud-based platforms, intranets and extranets, accounting or human resources systems are just some of the resources Belgian organisations use in their daily operations. In addition, social media, bank, emails, applications and websites are also some of the many accounts collaborators use in their daily life via devices containing organisation data. Each one of these accounts requires a password to access it.
Always respect your organisation’s password policy, acceptable use policy and data classification policy to ensure a sufficient and consistent level of cybersecurity.
A set of reference documents templates is available to ensure a quick and smooth implementation of cybersecurity policies within your organisation.
The longer, the better. Long passwords are more efficient as they are harder for cybercriminals to crack given the many possibilities their number of characters can give. Passwords should be at least 12 characters, combining lowercase, uppercase, numbers and symbols to increase complexity.
A good technique to make a strong password is to build a ‘password sentence’, e.g.,: “Alice is at the beach in Oostende”. Crop the various names and keep the preferred amount of letters, e.g.,: “Ae is at te bh in Oe”. Make this password even stronger by adding or replacing some letters with numbers and/or symbols. e.g., replacing an ‘e’ with the number 3 or an ‘s’ with the number 5. Pick whatever number and symbols but make sure to remember the final sequence.
Once a strong password is created, it is strictly personal and should never be shared. Especially professional passwords should be treated with care. For example, never ask a colleague to login on your behalf.
Cybercriminals can use phishing techniques or hack a website to steal passwords and access personal information, or sell the leaked credential data on the dark web. With that stolen information, their goal is to cause harm either by stealing money or by using sensitive information to get unwanted and/or illegal services. Once in possession of one single password, they will try to use it on other accounts as well to see if they can access more services and cause even more damage, or they will try to move within the organisation’s network to access more information. This is then very important to contain the risk of multiple accounts compromission by using different passwords for different accounts.
Never use the same password across different accounts. In this way, if something bad happens, the damage can be contained.
Multi-factor authentication is a solid way to enforce the use of passwords. It represents the use of multiple ways – factors – to prove that you are who you claim to be and that you can access your account.
Those factors can be:
• Something you know (password or PIN),
• Something you have (phone or token) or
• Something you are (fingerprints or face).
Multi-Factor Authentication requires the combination of at least 2 of those factors to allow you to access an account. For example, the use of a password and a code sent via text on your mobile phone. In addition, Multi-Factor Authentication can also be implemented through the use of a verification app. For example, itsme® is a free Belgian app enabling any resident to prove their identity or confirm transactions in a safe, easy and reliable way. Alongside this app, other known authentication apps can also be used: Google Authenticator, Microsoft Authenticator, or Authy.
The most commonly used services offer a form of two-step verification and have a short instruction page. You can find all those services and instructions by visiting https://www.safeonweb.be/en/two-factor-authentication-it-difficult-use.
While not being a silver bullet, this will increase the efforts an attacker needs to compromise you or your organization. More often than not, this would be a sufficient incentive to dissuade any opportunistic attacker.
Having different and strong passwords for different accounts can help protect information. However, in daily life, people use many different accounts and remembering one password for each of them can be quite difficult. This does not mean that they need to use the same password across all accounts and accept the risk of being hacked. Indeed, one specific solution has been built especially for that purpose: the Password Manager.
Password Managers will help manage all different passwords by storing them safely. Some Password Managers can even generate random passwords and make sure they are strong enough. In order to access the Password Manager, set up one single strong password.
Many Password Managers are available in a free or paid version an your IT Responsible can be consulted for advice on which one to choose, that are in line with the organisation’s policies. As a starting point, here is a list of some password managers:
• Bitwarden
• Keeper
• Dashlane
• KeePassXC
• Keepass
• Lastpass
• LogMeOnce
• 1Password
As for every technology solution available, Password Managers can also have vulnerabilities that can be exploited. However, vendors do everything they can to keep the product safe. To add a layer of protection, we recommend implementing Multi-Factor Authentication to access the Password Manager.
• Secure storage of all passwords;
• Random generation of complex passwords;
• Easy to use;
• Less to remember; and
• Available from any device.
If there is any indication that a password has been revealed or shared, change all passwords immediately. Remember to change the passwords substantially. Only adding one letter or number won’t have a strong effect, since most hackers keep a list of combinations of hacked accounts.
Additionally, in the event that a professional password has been disclosed or shared, contact your IT Responsible and follow their instructions.
The aim of this content is to share and raise awareness of good cyber security practice.
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.