Ultimate Deal Security Part 5: Cybersecurity - based on user naivety

Learn how to achieve ultimate deal security in part 5 of our 8-part series for advisors, written by Ansarada CTO Owen Senior.

By AnsaradaMon Apr 20 2020Security and risk management

Most systems ensure complex passwords and regular password reset. But if you are relying on that alone to ensure your VDR is secure, you are treading on thin ice. 

The good news is it’s easy to fix - but you need to hear the bad news first to know what needs fixing.
Here are two problems with relying on password complexity alone.
 

Problem 1: Buy-side behaviour with passwords

We’ve all seen people who have their passwords on a post-it note stuck to the monitor.

You might say, “but we wouldn’t do that at our advisory!” While this may be true, any specialist you invite in on the sell-side may use post-it notes. And buy-side leakage still creates risk. You can’t check everyone else’s monitors for post-it notes!
 

Problem 2: Breach lists (Your password is probably on a list!)

When hackers breach a major site or system (and there are hundreds - see here), they gather up all the usernames, emails and passwords and add them to lists on the dark web. So if you have a criminal mind, you can go and buy lists of billions of usernames and passwords.

Let’s say your password is very complex indeed, but you used it on a site that was breached (again, there are hundreds). That password, and its association with you, is now on those lists.

Hackers use these breach lists to do what is called ‘credential stuffing’ - to attempt to log into systems using known breached passwords. They spray systems with these attempts with a surprisingly high success rate. If you want, you can go and have a try yourself right here.

This is the problem. Systems that rely on password complexity aren’t dealing with the problem of breach lists.
 

There's more...

There are more challenges than these two, but these two cases hopefully illustrate the inadequacy of relying on complex passwords.
 

How Ansarada responds (and how you can respond)

There are actually many, many measures we take at Ansarada, including blocking dark web endpoints and using best-in-class identity management (via Auth0).

But how can you as an advisor respond to these deal security challenges? That’s what we want to draw out here, because much of this is in your hands.
 

1. Ensure you pick a VDR provider that checks breach lists and doesn’t merely rely on complexity

  • Ansarada does this for you via the identity system we use (Auth0).
  • This is free on the 360 tier of our product.
  • Want more detail for your security & compliance teams? Read more here.


2. Use 2-factor authentication on the sell-side - via Single Sign On (SSO) and your own 2FA or our via native 2FA (2 factor authentication)

  • 2-factor or factor authentication is where you don’t just provide a password, but you also get a code delivered to your phone or other device that you then enter.
  • This is common in internet banking.
  • It means even if your password is compromised, there is a 2nd layer of defence.
  • Ansarada can integrate with your enterprise single sign on systems (free on 360), in which case your SSO provider should have an MFA you can use. Alternatively, you can use our out-of-the-box MFA on a 360 tier (or as an add-on).


3. Use 2-factor authentication on the buy-side

  • Ansarada’s MFA offering allows you to enforce your buy-side to use 2FA. This is supported via the Ansarada system without requiring you to set up anything at your end. This deeply deals with buy-side password misbehaviours and protects your deal. 


4. Consider IP white listing for your deal

  • For further defence, you can limit IP ranges that can log into your deal. That means you could limit it to the IP addresses of known buyers, furthering protection against access outside certain geographies.


5. Encourage your team and your buy-side to use a password manager (e.g. https://1password.com/ or alternatives)

  • This encourages people to set up complex, challenging, unique passwords knowing that they don’t have to remember them.

In all of this, you need to consider the simplicity of use as well as the non-negotiable of security:
  • Do you want to force your buy-side to have to use their phone for a security code?  (2FA) or allow them to just log in?
  • Do you want to limit access from anywhere other than the buy-side offices, or also allow access when they are travelling and at any IP address? 
These are considerations to take seriously. Ease of use certainly matters.

But take care, because the modern environment is one of rising threats and Ansarada would advise you to raise the bar based on the options that you have at your disposal. If you use the options Ansarada gives you, then you’ll have ultimate deal security in this aspect of password management.

Next in the series, we turn to the platform itself. Ansarada provides Virtual Data Rooms and its Pathways system from the same highly secure platform. The question we want to ask next is, how do you have confidence in the cybersecurity of any vendor you use?
Owen Senior has been working with software product companies for over 20 years and with secure SaaS products since 2004 -  working with business stakeholders, technology and information security experts to ensure systems are both easy to use and secure.
Owen Senior, Chief Technology Officer, Ansarada

You may also be interested in