Remote-working has enlarged the attack surface dramatically, making this year’s commemoration an urgent call to action.

28 Jan 2021 is Data Privacy Day, and cybersecurity firms are eager to warn of the cyber dangers at large on this occasion.

The latest research by the cybersecurity experts at the global network of Acronis Cyber Protection Operations Centers (CPOCs) has revealed that 80% of companies do not have an established password policy. Between 15% and 20% of the passwords used in a business environment include the name of the company, making them easier to compromise.

Two recent high-profile breaches illustrate this problem: According to the researchers, before its Orion compromise, SolarWinds had been warned that one of its update servers had a publicly-known password of “solarwinds123”, while former President Donald Trump’s Twitter account was hacked because the password was allegedly “maga2020!”.

Even in organizations with a password policy in place, researchers found that many rely on default passwords, with up to 50% categorized as ‘weak’. Attackers know these weak password practices are widespread and, with so many employees working from home as a result of the COVID-19 pandemic, they have targeted the less secure systems of these remote workers.

What comes after phishing?

Analysts say that password stuffing was the second most used cyberattack last year, just behind phishing. According to Candid Wüest, VP of Cyber Protection Research, Acronis: “In making (the transition to remote-working), many companies didn’t keep their cybersecurity and data protection requirements properly in focus. Now, those companies are realizing that ensuring data privacy is a crucial part of a holistic cyber protection strategy: one that incorporates cybersecurity and data protection—and they need to enact stronger safeguards for remote workers.”

According to the firm’s research, awareness among digital users continues to lag, with 48% of employees in one survey admitting they were less likely to follow safe data practices when working from home.

Poor password hygiene and lax cybersecurity habits of remote workers are among the reasons analysts expect the financial impact of data exfiltration will soar in 2021, as bad actors can more easily access and steal valuable company data. The trend is similar to one now seen among ransomware attackers, who are stealing proprietary or embarrassing data and then threatening to publish it if the victim does not pay. Last year, Acronis identified more than 1,000 companies around the world that experienced a data leak following a ransomware attack.

Tightening authentication requirements

Data Privacy Day 2021 is an ideal opportunity to bring attention to the risks to data privacy, and Acronis and other cybersecurity experts recommend the following best safeguards:

• Multifactor authentication, which requires users to complete two or more verification methods to access a company network, system, or VPN, should be the standard for all organizations. By combining passwords with an additional verification method, such as a fingerprint scan or randomized PIN from a mobile app, the organization is still protected if an attacker guesses or breaks a user’s password.
  
• The Zero trust model should be adopted: all users, whether they are working remotely or operating inside the corporate network, are required to authenticate themselves, prove their authorization, and continuously validate their security to access and use company data and systems.
  
• User and entity behavior analytics, or UEBA, helps automate an organization’s protection. By monitoring the normal activity of users with AI and statistical analysis, the system can recognize behavior that deviates from normal patterns—particularly those that indicate a breach has occurred and data theft is underway.

Ensuring tight data security will help organizations avoid costly downtime, significant reputational damage and steep regulatory fines.