Past passwords: securing your business in 2022


In an era of increasing ransomware attacks and security breaches, SMEs must improve processes to keep their operations secure, however poor password practices are still rampant. With 62 per cent of SMEs having experienced a cybersecurity incident, Australian businesses need to prioritise access management when addressing cybersecurity in 2022.

Despite the increased prevalence of malicious attacks, 81 per cent of hacking-related breaches result from poor credential and password management; this is because many SMEs regard multi-factor authentication (MFA) as costly and technologically challenging. However, modern zero-trust security architecture can provide unprecedented simplicity that allows SMEs to protect their operations, without overcomplicating things.

When are passwords necessary and are there affordable alternatives?

There are three factors that can comprise authentication and identity: ‘something you have’, ‘something you know’, and ‘something you are’. Since a password is something you know, the question for SMEs is, “What are the areas where ‘something you know’ is absolutely necessary in securing your business operations?”

From a user perspective, programmes and systems are more accessible through passwords. Typically, usernames and passwords are required for most SaaS applications, unless users have a single sign-on (SSO) platform like Azure AD or Okta. When using SSO platforms, passwordless technology can be used if it’s native to the platform, or it can be easily integrated into the single identity found in the access management layer.

To create a more secure operation, the combination of hardware-based MFA and biometrics is recommended. SMEs should keep in mind that passwordless security can be insecure – remember, it’s just technology. However, by adding biometrics instead of a password and keeping a user’s MFA workflow, SMEs will be able to gain access to a world where zero-trust security models are a

Zero trust

Zero trust encompasses more than just user authentication, as it also includes the device. To illustrate, when a machine enters a secure network, it may only authenticate the user, not the device itself. However, zero trust authenticates both. With zero trust, there is a continuous revalidation of trust. This means implementing passwordless access in a zero trust model is easier for users and more secure for the operations since the ‘something you have’ and the “something you are” factors are much more difficult to attack.

When implementing zero-trust security measures, SMEs need to remember that passwordless is not synonymous with zero trust. Users can also have zero trust with passwords and MFA tokens, time-based one-time passwords (TOTP), or a hardware token.

Passwordless accessibility will reduce friction in a zero-trust model since the user only needs to touch the hardware token, use a fingerprint scanner, or glance at a camera. When difficulties with passwordless technology occur, password-based workflows can allow access. The most important point for SMEs to remember is that there needs to be a layer of multiple factors, meaning using two of “something you know”, “something you have”, and “something you are”.

Building a zero-trust security model in the SME environment

Zero trust security models are growing in significance in the face of a constantly mutating threat environment. It is more important than ever for SMEs to constantly evaluate their level of security and implement zero trust. Users shouldn’t have an asset that is implicitly trusted all the time, and SMEs should continuously revalidate and re-trust the operational state of assets and individuals.

Building and implementing a zero-trust security model can be daunting for SMEs, which is why managed service providers actively work with SMEs to improve operational security. If in doubt, consult an expert, and start 2022 off the right way, ensuring your operations and data are secure.