top of page

Financial and legal sectors – are your passwords secure?


Image of calculater in a business location

The financial and legal sectors have experienced a significant rise in cybercrime activity over the past few years as the following stats from the UK COVID CRIME INDEX 2021 REPORT shows

  • Three-quarters (74%) of banks and insurers experienced rise in cybercrime since the pandemic began

  • IT security, cybercrime, fraud, or risk department budgets had been cut by almost a third (26%) in the past 12 months

  • This mirrors the criminal activity detected by financial institutions that had risen by (29%) since the start of the pandemic

And it’s not surprising to understand why.


Cybercrime is now the biggest economic threat in the global economy – it’s cheap and easy to carry out and really hard to catch the people doing it. Couple that with remote working, poor cyber hygiene and a post pandemic business model for many that is tied to online trade, and you have created the perfect storm.


So how safe are our company’s passwords?

The below graphic represents the time to brute force a password using current technological capabilities.

Matrix from Hive Systems showing how the complexity and number of characters affects the time it takes for a brute force atatck to guess a password

So, passwords should be long and complex.


An ongoing issue is that the more complex the password the more difficult it is to remember - and with the general lack of uptake around password managers the NCSC guidance continues to encourage staff to use three random words as a password instead. Find out more here.


So how can you make sure their passwords are strong and safe?

This will need to be led from the CEO and senior management team and will need to be done in conjunction with any in house or outsourced IT support. But the following tips hold true.

  1. See what passwords you and your staff have which are already known. Why not run a poll to see who has the most/least breaches? Haveibeenpwned.com is a website where you can enter your email address, telephone number, and see if your information has been captured in a data breach. As a business owner you can also register your domain and get notified when your domain pops up in another breach.

  2. Have a clear password policy for staff and tell them why having strong, unique passwords are essential. If you need help with this, our affordable student services offer security awareness training. Why don’t you make a booking to discuss further?

  3. Enable Two Factor Authorisation wherever you can, but especially on your emails and social media accounts. Even with the best passwords, once someone knows that password then the system is not secure. With 2FA, even if the password and username are known, the criminal won’t have access to the second verification factor so they shouldn’t be able to just “log in”. You can find more about 2FA here

  4. Be wary of public wi-fi, and do not use it to log onto secure sites. Having your cybersecurity and data compliance policy clarify this is paramount.

  5. Never log onto secure sites through following a link in an email (common phishing fraud).

  6. Only use remember password facilities on personal computers where you trust any other users.

  7. Check if a domain is secure. You’re looking for https:// or a small, locked padlock symbol at the beginning of a website’s URL - this indicates the site is using a secure link.

  8. Don’t enter passwords where someone may be able to see you typing.

  9. Never send passwords by email.

  10. Never share passwords or leave them written down next to your computer or in an easily found place, consider getting an enterprise password manager so they only have to remember one and the password manager generates and remembers the rest – goodbye reused passwords.

What next?

The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of business and loss of reputation. In the worst cases it can lead to the closure of the business altogether. But all is not lost.


So, what can I do?

Here at the centre, we would advise you to do three things now

  1. Join our growing community by signing up to free core membership . You will be supported through implementing the changes you need to make to protect your business and your customers.

  2. For small and medium sized businesses in the Eastern region we would recommend that you look at improving you overall cyber resilience through the free Little Steps pathway we provide to Cyber Essentials – the basic government backed kite mark standard for cyber security. Join the centre as a free member and we will take you as far as the CE accreditation process. And if you want to pay for the assessment, we can refer you one of our Trusted Partners – all regionally based cyber security companies that can help you become accredited. Certification provides free cyber insurance and 99% protection either fully or partially from today’s common cyber-attacks.

  3. We would also recommend that you speak to your Managed Service Provider and / or website company to discuss how they can implement cyber resilience measures on your behalf.

Once you’re signed up you can access affordable cyber services carried out by our students which can help ID vulnerabilities and help protect your company from scammers and criminals. Contact us now to find out more.


Reporting Cyber Crime

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


Comments


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page