Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Longer is stronger: why password length matters  

How long is your password? If it’s only six characters long, made up of numbers, symbols and a mix of upper and lowercase letters, a hacker can guess it almost immediately. But did you know that by doubling it in length, even if it only included upper and lowercase letters, it would take six years to crack? And an 18-character pass-phrase with only lower case letters, would take 481,000 years to guess using brute force. That’s one of the many fascinating insights from Hive Systems’ 2023 Password Table.

It’s a deep dive that’s worth taking time to digest, with plenty more variations than the example we gave above. (For example, NIST recommends eight-character passwords but an attacker using RTX 4090 hardware could guess it in under an hour.) It’s both a timely reminder to refresh our own password use, but also to think about the policies and requirements we apply for accessing important services our organisations rely on.

Data protection and privacy roundup

The European Data Protection Board has released a guide for SMEs about respecting individual’s rights under GDPR. It’s a scrollable online guide, written in plain English with graphics aimed at educating an audience that’s not necessarily familiar with the finer points of privacy law. The guide’s 12 sections include a checklist on what to do, how to handle a data subject’s rights request, and a table that breaks down which rights apply in which situations. It’s available to read here.

Separately, CyberScoop has looked at how the rules will change for EU citizens interacting with big tech companies, compared to their American counterparts. Specifically, it’s looking through the lens of the Digital Services Act, which imposes certain obligations on large tech platforms, including transparency requirements and banning user targeting with ads based on sensitive information.

Business Email Compromise: a scam on the rise

Business email compromise (BEC) scams are raking in more cash for fraudsters, who are evolving their tactics to avoid detection. Security company Trustwave tracked a noticeable increase in this kind of activity in early 2023. Meanwhile the FBI reports that losses resulting from the crime came to a staggering $2.7 billion last year. Trustwave said BEC incidents were up by 25 per cent in Q1 of this year compared to the same period in 2022. However attacks dropped by 31 per cent during the second quarter, the company said.

Among the most popular lures and themes for the scams were payroll diversion, where the scammer asks to change their bank account or direct debit information. The next most popular ruse is to ask for the recipient’s mobile number or personal email address. Other tactics include asking for help with an urgent task, short emails to check if the victim is available, or ordering the recipient to get money ready for a wire transfer.

Separately, the security provider Cloudflare said that identity deception like that used in BEC scams can “easily bypass email authentication standards”. Its 2023 phishing threats report combines findings from email security data with a survey of security decision makers. The World Economic Forum has a useful blog with tips on safeguarding against BEC scams.

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here