Victoria Police has raised the bar on password security for Australian consumers to dizzying heights, marking Stay Safe Online Week with an exhortation for users to use passwords with at least 16 characters in them and to rely on 2-factor authentication for bank accounts, social media, and online payments.
The Tweeted advice – which suggests that average password length of 8 characters, as found in one analysis of 5 million Gmail credentials, is far too short – comes as cybersecurity agencies in Australia and around the world renew claims for users to be more vigilant for potential cybersecurity breaches, attacks, and social-engineering exploits.
WatchGuard’s recent second-quarter Internet Security Report warned that growing use of the Mimikatz open-source tool – which comprised 36 percent of top malware during the quarter and was the most common malware for the first time ever – confirmed that cybercriminals were increasingly focusing on stealing users’ credentials. So, too, did findings that brute-force attacks against Web servers were on the rise – even as Watchguard warned that almost half of all malware is able to circumvent legacy antivirus solutions.
Attackers are notching up more and more victims as time progresses. The Australian Competition & Consumer Commission warned that losses to online scams were continuing to add up, with this year already seeing $37m in reported losses to 51,000 reports of scammers using phishing, false billing, and fake online stores to steal personal information or commit financial fraud.
Recent analysis by Mimecast found that fully 25 percent of emails were cleared by email security systems even though were “unsafe” – reinforcing claims by ACCC deputy chair Delia Rickard, who said in a statement that the scams were often “difficult to spot”. People should, she said, safeguard personal details online “the same way you would your wallet. If something seems too good to be true, it probably is.”
Videos designed by the government for Stay Smart Online Week reinforce messages about safe security online, while firms as varied as Hueya and US-based Home Instead Senior Care are offering courses to teach better security practices, while mainstream media was on social media – which has been linked with a surge in business email compromise (BEC) fraud.
The warnings come amidst an escalating climate of compromise, with ‘brandjacking’ continuing to rise and expected to do so even more as the holiday shopping season hits full swing. Proofpoint recently warned of the hack of PornHub and other popular sites with a fake browser-update scheme. And the latest Webroot Quarterly Threat Trends Report found that an average of 1.385 million phishing sites are created every month, with phishing growing at “an unprecedented rate” and many sites shut down after 4 to 8 hours to avoid detection.
“Australia and New Zealand continue to be a hotbed for phishing attacks,” Webroot senior information security analyst Dan Slattery said in a statement. “With the personalisation and sophistication used by cybercriminals, it’s even difficult for hardened security professionals to determine which emails are safe or infected. We need a combination of user education and a business-wide solution to keep phishing attacks at bay.”
Insecure consumer behaviour has direct implications on the security of the companies those consumers work for – particularly small businesses, which tend to have less sophisticated cybersecurity protections and report ongoing problems finding skilled security staff. Experts have urged SMBs to embrace cloud-based security solutions “ASAP” to close the gap, while cybersecurity insurance provider Cyber Plus recently launched a Small Business Bundle combining Australian-made multi-factor authentication, email security, and encrypted file sharing tools.
The vulnerabilities are a global problem: the UK’s National Cyber Security Centre, for one this week offered a new guide to help small businesses protect themselves online. Its five step program includes backing-up data, using strong passwords, protecting against malware, keeping devices safe, and avoiding phishing attacks.