Executives, please remember: Attackers do not need to know any passwords if they are already inside a computer. They can wait for the user to log in for them.
Even if you’ve moved all of your servers, programs, and storage to the cloud, passwords aren’t enough. To access all of your assets, attackers dwelling in computers wait for the user to log in.
To get inside a computer, all it takes is for an attacker to trick a user into clicking a link, downloading an attachment, or visiting a malicious website. Sometimes the user doesn’t need to cooperate; an attacker can exploit vulnerabilities without user interaction. None of that requires the attacker to know a password.
What you need to do:
First, focus energy on hardening user computers against attacks. A goal is to make the users’ computers, including work-from-home users, resilient to attack. If a bad actor tricks a user into clicking on a malicious link or opening an attachment, you want the attack to bounce harmlessly off the computer’s security protection.
Second, implement specific cybersecurity controls to harden computers, including:
– Applying critical security patches.
– Using application control to only allow approved programs to execute.
– Ensuring users are local standard users.
Third, keep using passwords and two-step login to help keep hackers away if they haven’t compromised any of your organization’s computers.
Please forward this to your associates to remember that password protection is useless if an attacker takes over a computer. A key to safety is to harden all computers against attacks. That gives passwords a chance to protect you.