Cybersecurity in today’s competitive market is quickly becoming as much about gaining a competitive advantage as it is about risk management. Even the act of telling customers how their information is being safeguarded and kept private gives a level of credibility competitors just might not have.
Sean Joyce, former Deputy Director of the FBI and industry leader on cybersecurity asserts:
“People want privacy and security, not privacy or security. Companies will need to deliver on that expectation.”
Establishing and maintaining trust is fundamental to every business’s success, and all the research shows that customers expect the organisations they do business with will manage their privacy diligently.
According to PwC’s 2018 Global State of Information Security Study only around 50% of CEOs are building trust with customers by investing in cybersecurity to a large extent. This reveals an opportunity for growth for those currently underinvesting to set themselves apart and better meet customer expectations.
The majority of businesses simply rely on the standard encryption and two-factor authentication provided by their cloud storage service. And if they do invest in information security they are unable to measure its effectiveness.
One such example is Microsoft’s popular cloud-based storage application OneDrive, part of the Microsoft 365 suite, which has become embedded into the operations for many businesses not using DropBox or Google Drive.
OneDrive provides individual encryption keys on a file-by-file level as well as two-factor authentication. And while it has evaded a major breach like its counterpart, Dropbox and iCloud’s hacked celebrity accounts in 2014, it has security features than many organisations don't have the expertise to activate and maximise.
Here’s how hackers are already getting access to O365 accounts and why you need information security to keep your business from falling victim to the same mistakes.
Passwords are stolen everyday through phishing emails disguising themselves as important or urgent documents.
Earlier this year, millions of O365 users had their passwords stolen through one of these scams.
The hackers mask themselves as urgent or important messages in order to get people to open their documents. Once the documents are opened, code is automatically executed on the users’ computers.
Recently hacker have used PowerShell, a language created by Microsoft for administrators, so that they can rapidly execute commands across several operating systems. Essentially, giving hackers access to their entire suite of Microsoft services, including M365.
Brute force attacks
Brute force attacks use automated code to try every-possible variation of a password until it is eventually cracked. Thousands of login attempts are made within seconds from multiple IP addresses.
Just in the month of August last year, 48 Microsoft 365 customers had their accounts hacked by a brute force attack.
In order to prevent brute force attacks, many organisations, like banks, put a limitation of unsuccessful password attempts for every account. They also use tools like Google’s reCAPTCHA, requiring successful logins to enter a word or perform a simple maths problem. However, this is not standard practice across all internet-based services.
So by executing a brute force attack against an unrelated account without this safeguard, hackers are then armed with the same re-used password to get access to business bank accounts, email accounts, website servers, and M365.
Employee misuse of company systems
Businesses relying upon standard cybersecurity methods are running a risk as 71.4% of enterprise Microsoft 365 users have at least one compromised account every month.
This is largely attributed to the overwhelming amount of passwords staff need to remember, especially when freshly joining an organisation.
The easiest way for them to keep track of this information is to create Word documents or email drafts titled “passwords”, and leave them open for the taking. That’s why organisations need thorough cybersecurity policies to prevent this from happening.