Skip to main content

Editorial comment

Make it strong and keep it secret

According to new research, energy employees tend to use very weak passwords. The researchers analysed data from public third-party breaches that affected Fortune 500 companies and then categorised the data by industry sector.1 The top passwords used by energy folks include: password, 123456, pa55word, snowman, 12345, default, password1 and I could go on, but you get the picture. The research concludes that poor password hygiene is causing data breaches in the sector, and that these data breaches are often dangerous and costly.

Register for free »
Get started now for absolutely FREE, no credit card required.

The password research was carried out by NordPass, a password manager technology company, and its advice is to create complex and unique passwords, update them regularly, store them somewhere safe (e.g. a password manager rather than a notebook), use multi-factor authentication (for an added layer of security) or a single sign-on system (which promotes using one complex password and not writing it down), and educating employees on the risks of mixing passwords for work and personal accounts.

The Colonial Pipeline hack earlier this year was possible because of poor password and cybersecurity practices. Back in June, Colonial Pipeline Chief Executive Joseph Blount told a US Senate committee that the attack occurred using a legacy Virtual Private Network (VPN) system that did not have multifactor authentication in place. That means it could be accessed through a password without a second step such as a text message, a common security safeguard in more recent software. Blount did stress that “in the case of this particular legacy VPN, it only had single-factor authentication [but] it was a complicated password, I want to be clear on that. It was not a Colonial123-type password.”

The password for Colonial’s compromised VPN has been discovered among a batch of passwords leaked on the dark web, which means a Colonial employee might have used the same password on another account that was previously hacked. To access the company’s network, the hacker needed only a compromised username and one password.

In the age of working from home, the workforce is especially vulnerable to cyber security issues. In a short span of time in 2020, as the COVID-19 pandemic set in, global stay-at-home mandates necessitated the deployment of digital tools to allow for remote collaboration and work. Virtual platforms replaced physical work settings, and work processes became remote, decentralised and increasingly self-managed. A blog on the abrupt shift to remote working (published on the LSE Business Review) states that: “The sudden shift to remote work has massively amplified the problem of protecting proprietary information. As companies had to implement remote access technologies fast (or upgrade existing infrastructures) to ensure business continuity, they often fell back on improvisation. This led to the frequent neglect of even the most basic security and compliance protocols.”2 Flashpoints include: the use of personal devices (laptops, phones, etc) for company purposes; remote access software that talks to telecontrol equipment stationed at the office; the movement of entire workstations to homes; the (mis)use of cloud storage; unsecured new devices being used on company networks; lack of security and privacy on home-based devices; and remote setups making the discovery of a cyber breach more difficult.

The blog highlights a recent example from Munich, Germany: “The teenage daughter of a CEO of a leading real estate firm used her father’s corporate laptop to surf the web. There, she stumbled over an advertisement for a free IQ test. Curious, she downloaded the software and tested herself. The software, however, brought in a hidden program – a trojan horse – that drained the PC of work-related documents and tried to use the remote connection to the corporate network to infect other PCs in it. Fortunately, the damage could be discovered and limited to the single laptop (which needed a replacement) as the CEO had a direct line to the forensics team.”

Three things recommended to all employers by the blog? Identify and then protect important company data. Give access to information on a ‘need-to-know’ basis. Establish state-of-the-art models to track information usage and actively deny suspicious access. And don’t forget to get creative with your passwords.


View profile