The first Thursday in May is celebrated by cybersecurity experts as World Password Day. On that occasion, it is worth recalling some cautionary statistics.
“We all know that passwords are a problem. In our phishing campaigns, nine percent of users give up their name and password,” says David Picha, our sales manager.
Phishing is a social engineering technique that ethical hackers use as part of penetration testing to find out how much of a risk a company is to its own employees. Phishing involves sending email messages that look trustworthy and attempt to lure sensitive information from users, such as just access to computers or applications, or entice them to click on a potentially dangerous link. According to Integra’s statistics, on average 36% of people will click through a link without thinking.
Ethical hackers often pose as internal IT helpdesk staff in large companies, for example, and test employees’ vigilance over the phone. “We’re more than twice as successful over the phone as we are in a phishing test. People trust a made-up story without realising they don’t actually know who they’re talking to,” warns Picha.
Cybersecurity experts offer a number of cautionary facts, such as:
- 60% of people use the same password on multiple sites
- 47% of people admit to using passwords that are at least five years old
- 13% use the same password across all sites and devices they own
- 91% of people know they shouldn’t reuse their passwords, but 59% admit to doing it anyway
“Companies should teach employees to use a password manager and establish a zero-trust approach that assumes the employee will succumb to an attack,” recommends cybersecurity specialist David Picha. The zero-trust principle gives users access only with the necessary permissions and only for the necessary amount of time.
After obtaining the employee’s access credentials, the hacker tries to get as deep into the network as possible and, for example, use a ransomware attack to encrypt the data. We often simulate this type of attack (without encryption, of course) with a penetration test to determine its possible consequences. “Continuous education is an important part of prevention – once a year really isn’t enough,” concludes the expert.
Phishing is a technique for capturing sensitive data on the Internet. A phishing campaign costs in the order of tens of thousands of crowns, a full penetration test costs hundreds of thousands of crowns depending on the size of the company, but protects against multimillion-dollar damage.
