A £1.2million fine is quite a reminder of what’s at risk when security fails. As we highlighted in our Cybersecurity Roundup at the end of last year, this was the penalty that the Information Commissioner’s Office (ICO) issued to LastPass UK Ltd following an investigation into a 2022 data breach. In this article, we’ll look at what it means for password security, provider choice as well as trust in password managers.
LastPass breach: what happened?
ICO’s investigation revealed that the breach compromised the personal information of up to 1.6 million UK users. A hacker was able to access a personal laptop of a LastPass employee, enabling them to then reach another employee’s corporate device that contained a backup of the company’s customer database.
The attacker was able to extract a significant amount of personal data that included customer names, email addresses, phone numbers and stored website URLs. They did not gain access to users’ password vaults, but it’s still a major incident. For MSPs and the organisations they support, it shows that password security is not just a technical consideration you tick off a list, but a matter of regulatory compliance and customer trust.
A high-profile breach like this could make organisations cautious about the safety of password managers in general. In most cases, however, the issue lies with how the solution is designed and implemented, not with the concept itself.
Why businesses can’t afford to ignore password security
Password security is a fundamental part of the security status of any company. This is hardly groundbreaking news to anyone who works in cybersecurity, but a worrying number of businesses have no password protection whatsoever.
There are still businesses out there with unsecure, non-methodical ways of storing passwords. Notepads, spreadsheets, text files and unprotected browser password managers can’t offer protection the same way a secure password manager does.
It’s important to keep this message loud and clear to clients, especially if they express any scepticism about cybersecurity vendors due to a breach like this.
Leading by example in password management
The LastPass incident is also a reminder that the IT channel needs to make sure internal security is as tight as possible. This goes all the way from vendors and distributors to MSPs and VARs.
This is vital for the credibility of the industry – to be blunt, end users expect us to practice what we preach. But it goes beyond sectoral interests. MSPs and the channel partners who supply them play an increasingly important role in protecting businesses from an ever more complex threat landscape.
This means that channel businesses have the most privileged admin-level access – to servers, DNS, mail policies and just about every other part of their customers’infrastructure. Any breach for an MSP could put all those customers’ assets at risk. It may seem an obvious point, but an internal security review is always a good idea.
Choosing a secure password manager
Back to our main theme, a well-built password manager remains one of the best ways to store login credentials securely. It helps eliminate weak or reused passwords and it improves visibility for IT teams.
This is where provider choice matters, though. Not all password managers are designed or built the same way. Keeper is an example of a platform designed with security at its core. Each password, file and piece of metadata is encrypted locally on the user’s device using its own unique key before syncing. This effectively limits the impact of any potential breaches. Keeper also offers role-based access controls, detailed audit logging and most of all, a zero-trust, zero-knowledge architecture meaning that admins and even Keeper staff cannot see other people’s passwords.
At Brigantia, it’s trust that supports every recommendation we make. We rigorously assess our vendors before adding them to our portfolio, as every choice we make is done with a focus on quality, reliability and MSP-friendliness. Keeper is one example of our vendor selection process in action, and a great recommendation for those many businesses failing to protect their passwords.
How Brigantia can help
If you’d like to learn more about Keeper or other methods of access management, get in touch with us or head to our website for further information.
