As organizations spend millions of dollars on cybersecurity technologies, too many companies are still neglecting the basics. According to Verizon, over 80% of successful cyberattacks are traced back to weak or compromised passwords. This includes the recent cyberattack on Verkada, which compromised about 150,000 video surveillance cameras, including feeds located in Tesla manufacturing facilities, Cloudflare’s headquarters and satellite offices, and a slew of hospitals, prisons, and schools, as reported in ComputerWeekly.
In the case of Verkada, not just any password was compromised. As reported by Dark Reading, it was a “super admin” password that granted nearly unfettered access not only to all of Verkada’s surveillance cameras but also its most sensitive systems. It gets worse. According to Dark Reading, this password was shared by over 100 internal users at Verkada.
That’s a lot of people to grant “super admin” access to, particularly since the majority of organizations are adopting zero-trust security environments. Among other safeguards, zero-trust mandates that employees be given “least-privilege” systems access; this means that every employee is granted just enough systems access to perform their jobs, and no more.
As the World Digitizes, Cyber Risks Grow
The COVID-19 pandemic accelerated organizational digital transformation efforts by several years. This includes the deployment of Internet of Things (IoT) devices such as surveillance cameras. There are already more IoT devices than people on Earth, and Cisco estimates that by 2023, IoT devices will outnumber humans threefold.
The digital genie is out of its bottle, and it’s not going back in. As security solutions companies roll out new technologies in the coming years, it’s critical that organizational leaders not lose sight of the simplest yet most important step to securing their systems and devices: securing their employees’ passwords. Here are some password security lessons from the Verkada breach:
- Require that all employees use strong, unique passwords for every work-related account and enable multi-factor authentication (2FA) on all accounts that support it.
- Implement role-based access control (RBAC) with least-privilege access. It’s difficult to conceive of a scenario where 100 employees would need “super admin” access.
- Deploy a business password manager company-wide and require employees to use it.
Keeper’s zero-knowledge password management and security platform gives IT administrators complete visibility into employee password practices, enabling them to monitor password use and enforce password security policies throughout the organization. Fine-grained access controls allow administrators to set employee permissions based on their roles and responsibilities, as well as set up shared folders for individual departments, project teams, or any other group.
Keeper takes only minutes to deploy, requires minimal ongoing management, and scales to meet the needs of any size organization.