How you can stop corporate login theft

Business spending on cyber security continues to rise. The latest estimate puts the average figure at more than $5 million for 2021. Yet, in the same year, US organizations reported a record number of data breaches. So, what goes wrong?

An unholy trinity of static passwords, user error and phishing attacks continues to undermine security efforts. Easy access to credentials gives threat actors a big advantage. And user training alone cannot restore the balance. A robust approach to credential management is also required, with layers of protection to ensure credentials don’t fall into the wrong hands.

The password problem

Almost half of all reported breaches during the first half of this year involved stolen credentials. Once obtained, these credentials enable threat actors to masquerade as legitimate users to distribute malware or ransomware or move laterally through corporate networks. Attackers can also perform extortion, data theft, intelligence gathering and business email compromise (BEC), with potentially massive financial and reputational consequences. Breaches caused by stolen or compromised credentials had an average cost of $4.5 million in 2021 and took longer to identify and contain (327 days).

It is perhaps not surprising to hear that the cybercrime underground is full of stolen credentials. In fact, there were 24 billion in circulation in 2021, a 65% increase from 2020. One factor is poor password management. Although passwords cannot be guessed or cracked, logins can be phished from individual users, or stolen.

The common practice of password reuse means that these login details can be fed into automated software to unlock multiple accounts online, in so-called credential attacks. Once in the hands of the hackers, they are quickly put to work. According to one study, cybercriminals gained access to nearly a quarter (23%) of accounts immediately after compromise – most likely via automated tools designed to quickly validate the legitimacy of the stolen credentials.

User education is not a panacea

Phishing is a particularly serious threat to business and is growing in sophistication. Unlike the error-strewn spam of yesteryear, some attempts appear so authentic that even a seasoned pro would have trouble spotting them. Company logos and fonts are faithfully replicated. Domains can use typos to appear at first glance identical to the legitimate ones. They can even use Internationalized Domain Names (IDNs) to mimic legitimate domains by replacing letters from the Roman alphabet with lookalikes from non-Latin alphabets. This enables fraudsters to register phishing domains that appear identical to the original.

The same applies to the phishing sites that cybercriminals direct employees to. These pages are designed to be persuasive. The URLs will often use the same tactics as mentioned above, such as substituting letters. They also aim to replicate logos and fonts. These tactics make the pages look like “the real deal”. Some login pages even render fake URL lines that show the real website address to trick users. This is why you can’t expect employees to know which sites are real and which are trying to trick them into submitting business credentials.

This means user awareness programs need to be updated, both to account for specific hybrid workplace risks and ever-changing phishing tactics. Short, small lessons with real-world simulation exercises are essential. So is creating a culture where reporting attempted fraud is encouraged.

For phishing sites in particular, encourage users not to click on links to pages from sources they do not know. Instead, they should go directly to trusted websites and log in directly. Teach employees to always inspect the URL bar to make sure they are on the site they are supposed to be on. Another key skill will be showing employees how to inspect and interpret URL links so they can distinguish between a legitimate login page and something pretending to be the real deal. This will not work in all cases, but can help in most cases.

Against real-time protection

But remember, there is no silver bullet, and user education alone cannot reliably stop identity theft. Bad actors only need to get lucky once. And there are many channels to reach their victims, including email, social media and messaging apps. It is impossible to expect every single user to detect and report these attempts. Education must work with technology and robust processes.

Organizations should have a layered approach to credential management. The aim is to reduce the number of websites users have to enter passwords on. Organizations should strive to implement single sign-on (SSO) for all recognized required work applications and websites. All SaaS providers should support SSO.

If there are logins that require other credentials, a password manager will be useful in the meantime. This also provides a way for employees to know if a login page can be trusted, since the password manager won’t offer credentials for a site it doesn’t recognize. Organizations should also enable multi-factor authentication (MFA) to secure logins.

FIDO2 is also being used. It will provide a more robust solution than traditional authentication apps, although these apps are still better than codes sent via text messages.

Not all of this is foolproof, and dodgy login sites can slip through the net. A last resort is needed to flag risky login pages to employees. This can be done by analyzing, in real time, threat intelligence metrics, website similarities, domain age and how users arrived at a login page. This rating can then be used to block high-risk login pages or warn users to re-check for less risky ones. Crucially, this technology only intervenes at the last moment, so that security appears transparent to the user and does not make them feel monitored.

Combined with an architectural approach to security across the stack, a layered approach to credential management can help reduce the attack surface and mitigate risk from an entire threat class.

Ian Pratt is Global Security Manager at HP Inc.