In the world of IT, cyber security measures like passwords and MFA are essential and can be the last line of defence in a live cyber-attack.

On a day-to-day basis, I.T. departments are responsible for ensuring that the sharing, storage, and accessibility of corporate data are operating at optimal levels; without internal or external forces slowing down these and other processes.

Whether it is stealing code, sensitive data or using them as part of a supply chain attack, the IT sector is commonly a target in cybercrime attacks and need to be aware of and take action to build their own cyber resilience.

A successful cyber-attack could leave systems down for potentially weeks on end, having a massive impact on how an IT company operates and it’s supply chain.

And although tech companies are improving, and indeed leading the way in some areas of cyber security, sometimes the basics can be overlooked.

Commonly used passwords

A good password is one that is complex and difficult to guess, with a combination of uppercase and lowercase letters, numbers, and special characters. Such passwords are harder for hackers to crack using brute force methods, which involve trying millions of combinations of characters until they find the right one. A good password can be the difference between a secure system and a compromised one.

One of the biggest risks of weak passwords is that they can be easily guessed by hackers. Common passwords like "123456," "password," and "qwerty" are easy to guess and are used by many people, making them a prime target for hackers.

It is vital that companies in the IT sector prioritize the use of strong passwords and implement strict password policies to ensure the security of their systems. But they don’t just create these lists themselves, they harvest previously known passwords from other criminal’s data breaches. That’s why if a password of yours ends up in a data breach, then you must assume that everyone knows it and no longer use it.

The below graphic represents the time it would take for a cybercriminal to hack (brute force) a password using current technological capabilities.

Passwords should ideally be in the green section of this table, but if one of your current passwords is in another colour - do not worry. We would just advise that change it to something more secure and unique.

The NCSC recommend use three random words followed by punctuation to create a secure and unique password. To find out more about passwords guidance, check out our Guidance | Eastern CRC (ecrcentre.co.uk).

Multi Factor Authentication

Two Factor Authentication (2FA) and Multi Factor Authentication (MFA) are incredibly useful in protecting your systems, accounts and devices.

2FA and MFA are essentially two or more methods that can verify your identity. A cybercriminal may be able to crack your username or password but they do not have your fingerprint, Face ID or your mobile phone to authorise a log in attempt on a mobile authenticator app.

By enabling MFA across your systems, accounts, and devices you are providing a last line of defence in a cyberattack.

What else can I do?

Here are five other things that you can do now to improve your password security:

1. See what passwords you and your staff have which have already appeared in data breaches and change them as soon as possible.

Why not run a poll to see who has the most/least breaches? Haveibeenpwnded.com is a legit website where you can enter your email address and telephone number to see if your information has been captured in a data breach. You can also register your email address or domain and get notified if it appears in another breach.

2. Have a clear password policy for staff and tell them why having strong, unique passwords are essential. If you need some help with this, our affordable student services offer security awareness training. Why not make a booking to discuss further?

3. Enable 2FA and MFA wherever you can, but especially on your emails and social media accounts. Even with the best passwords, once someone knows that password then the system is no longer secure. With 2FA or MFA, even if the password and username are known, the criminal won’t have access to the second verification factor so they shouldn’t be able to just “log in”.

4. If your staff have a lot of passwords to remember, consider getting an enterprise password manager so they only have to remember one and the password manager generates and remembers the rest – saying goodbye to reused passwords.

5. Join the ECRC with free membership. Core members receive regular updates which include the latest guidance, news, and security updates as well as a series of "little steps" emails designed to get your business cyber resilient.

Further guidance & support

The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.

You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.

We provide free guidance on our website and we would always encourage you to sign up for our free core membership. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.

Reporting a live cyber-attack 24/7

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.

Reporting a cyber-attack which isn't ongoing

Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Report a phishing attack

If you suspect a phishing attack, please report it to the Suspicious Email Reporting Services (SERS) set up by the NCSC at: report@phising.gov.uk

Text messages can be forwarded to 7726