Over the years, we’ve implemented a number of increased security measures and this continues to evolve. In many cases these measures are mildly inconvenient and it’s tempting to assume they are unnecessary or even slightly paranoid. We’d like to take a little bit of time to discuss that. We don’t believe that it’s time to don the tinfoil hats, given the overwhelming number of security breaches attributed to poor password security.

Historically, IT people would install infrastructure with default passwords, with the intention of changing them after the fact. We take a certain amount of pride that with our company history, and the fact that we started in the Internet banking space, that this has never been our way. This left us ahead of a lot of our competition, but the world has moved on and there is a danger that we get a little complacent.

For example, we frequently point out to customers that have used BlackBerry, that we can log on to their Exchange Server as an admin and read all of their mail by logging on to OWA (Outlook Web App) as a BES (Blackberry Enterprise Server) admin with the default password.

Let’s take an example of a horrible ‘default password’ practice that some companies use – applying the same password for all their server installs, across all of their customers. This means that all of their clients, IT team, and anyone else who has ever worked closely with or for them has a logon to all of their customer’s networks. Add a remote access viewer, like TeamViewer into that mix and it gets very scary.

We recommend to everyone that they use Multi Factor Authentication (MFA), and that they never re-use passwords across different Web sites at home and at work. Passwords are a pain for users, so one of the best investments for company and personal security is a password manager such as 1Password or LastPass – taking the pain out of having a unique password for everything.

Why must we increase security all the time? The reasons are that we are continually under attack and so are our customers. We know that sounds melodramatic, but now that we have the tools in place to track this, we are seeing the attempts in action.

We’re not going to outline details of attacks on our customers to the viewing public, that would be more than a little ironic! However, we do want to finish with some proof that Quorum, our current and future customers are under the threat of some form of attack. We did some investigating using one of our owner’s email addresses.

According to https://haveibeenpwned.com/, sites that his email has been registered with have been breached at least 10 times, meaning his email address is on quite a few stolen lists. Since we don’t reuse passwords, we change them regularly, and we have MFA – we are ok – but those lists are constantly being bought and sold and there are now a lot of attempts at attacking us, using these old credentials. The same applies for all of us who have been here a while and this is what a brief snippet of the logs look like just for Office 365:

There is nothing we can do to stop these attempts. We must ensure that we stay ahead of the attackers and increase the depth of our defences. The same applies to all of our customers and we need to make sure that we help them to avoid being breached. We know for some that these steps are painful, but breaches are worse, and this is just something that we all have to accept and deal with.

So, back to the initial question; when will this end? We believe, never, or at least not until the Internet gets switched off!