Over 42,000 user credentials from Scottish public bodies are available on the dark web, according to an investigation from FutureScot.
The findings showed that usernames and passwords across organisations such as the NHS, the Scottish Government and local councils were leaked. This poses a huge security risk, with credentials found on the dark web often being used by hackers to gain access to sensitive data. In a recent significant case in December 2020, the Scottish Environment Protection Agency had 1,200 staff locked out of their network after a ransomware attack.
Local authorities around the world have become increasingly targeted by ransomware attacks, which are growing rapidly per year. According to cybersecurity firm Group-IB, ransomware attacks increased by more than 150% in 2020 alone.
Amid this background, the cost of insurance against attacks is also skyrocketing – from April to May, insurance premiums jumped 27 per cent from the previous year, according to the latest data from Aon. Even gaining insurance now requires increasingly strict security procedures, with AIG stating that they “may not write coverage at all” for organisations with lax security procedures, according to their head of cyber insurance, Tracie Grella.
Passwords are an extremely vulnerable form of authentication, a problem that has only gotten worse with the growth of cloud apps. As users are required to have ever-increasing numbers of passwords, they are frequently reused across multiple accounts. This is partly what makes the data leaked on the dark web so valuable to hackers – one set of credentials might be used to gain access to a huge number of accounts and identities.
While training employees can help, the huge amount of time and effort required to maintain good password hygiene over so many accounts simply makes the solution an impractical one. Other solutions, such as Multi-Factor Authentication, undoubtedly help – but they are still vulnerable to hackers who can frequently use the same credentials to gain access to email accounts and requests sent over vulnerable channels like SMS.
Instead, the most effective way is to deal with the real root of the problem – the passwords themselves. The simple username and password combination hasn’t really changed much since it first became used for cybersecurity in the early 1960s, before the internet even existed at all, let alone ever-growing suites of cloud apps. The solution, then, is to remove them as an attack vector completely, by switching to passwordless authentication.
Passwordless authentication guards against leaked credentials for a simple reason – if passwords aren’t used, they can’t be stolen. Instead, the process of authenticating users is delegated to an Identity Provider, which uses a relationship of trust and encrypted security tokens to allow access to Service Providers without the user needing to enter in a password at all.
Even for some systems where passwordless security protocols aren’t supported, Identity Providers can provide automatically generated passwords which are complex, changed regularly, and unknown to the user – also eliminating the risk of phishing attacks, the original source of many compromised credentials.
While organisations are employing a wide variety of security methods to mitigate the risk of data breaches caused by compromised credentials, passwords will always remain an inherently vulnerable point of attack in any system. The continuing increase in malicious attacks on public bodies is a cause for real concern, but by dealing with the problem at its source and embracing a passwordless future, we can reverse this trend and secure our public sector.
Find out how My1Login can help your organisation move from passwords to passwordless authentication. Book a demo today.