Meet Zettasecure

Zettasecure GmbH is a cybersecurity consulting firm based in Vienna, Austria. It specializes in cybersecurity services for small and midsize businesses.

Founded in 2020, Zettasecure was driven by Philipp Mandl’s experience in a large enterprise security operations center (SOC). After successfully building and managing a SOC, he saw an opportunity to create a similar service offering comprehensive security solutions with the expertise he had gained.

The company also provides a managed SOC for continuous monitoring and tailored cybersecurity support, mitigating threats affordably and without relying on high-cost solutions. Currently, they cater mainly to German-speaking countries, such as Switzerland, Germany, and Austria.

Password managers matter as much as antivirus systems

From his experience as an MSSP, Philipp Mandl finds that companies often believe that if they already have antivirus software, for example, they are cybersecure. However, sound password management is a necessity equivalent to an antivirus or firewall system—without it, the company won’t be as secure. After all, password managers are a best practice to comply with NIS2 requirements.

One of Zettasecure’s first clients in need of a password manager came to them with a unique challenge: they wanted not only a centralized and intuitive password management tool but also one that would allow them to get notified in real time when data loss occurred. In other words, they wanted to know if a malicious IP had logged into the password manager and was now trying to copy all the passwords as fast as possible, or to share them with multiple sources that shouldn’t be shared per company rules.

As their MSSP, Zettasecure was happy to offer a solution: NordPass, a password manager that has a centralized and smooth user onboarding and offboarding that the IT team manages through the NordPass Admin Panel.

Additionally, NordPass provides an Activity Log API that became a holy grail for this client’s use case. The Activity Log API is a NordPass Enterprise feature that helps companies manage employee access and monitor the organization’s activities. Zettasecure coupled this feature with XDR (extended detection and response) by pushing the data collected via the Activity Log API to SIEM so they could:

• Get an alert or set an automation rule on a third-party tool

• Get notified about user activity outside of working hours

• Automate emails/messages to a user who hasn’t used NordPass in X days.

This works similarly if a threat actor is within the company and tries to search for specific passwords or copy them from NordPass as quickly as possible. Zettasecure noted that if a user is excessively viewing or copying passwords from NordPass, they mark it as malicious via the XDR platform, so that the company can automatically tackle this threat actor by locking down their computer and investigating what’s happening.

The CEO of Zettasecure believes that NordPass and the XDR solution have become a perfect fit that he can now offer to his customers and happily uses at his own company.

Sharing passwords in a secure way

The other Zettasecure client faced yet another challenge. This company is in the transportation business and was looking for a way to share passwords safely among their teams. Namely, they have several departments, like legal and finance, that use certain shared accounts.

NordPass came through as a tool that was just right for their needs. With Shared Folders, employees can now easily share passwords in bulk and have all the necessary access at hand by simply autofilling credentials when needed. This eased the company’s stress on handling access quickly and securely among the teams.

In addition, NordPass provided the company with other great benefits that further improved its security and convenience. For instance, it allows the client to see who has access to what accounts in the company via the Admin Panel, helping to streamline compliance. Additionally, when an employee is offboarding, the company can quickly transfer data to their colleague, so no access is ever lost.

A password manager helps to save companies’ money

Sometimes, convincing people that they need an additional app to manage only their company’s passwords can be hard. After all, they already use a built-in browser password manager, and it’s already there.

However, Philipp Mandl believes this line of thought is a big issue: a built-in browser password manager doesn’t help a company see possible cyber threats coming their way, which can have devastating consequences. For example, such password managers are particularly vulnerable to malware attacks: when malware appears on the device, it simply copies browser cookies and their stored passwords.

And there’s always a human error: most data breaches occur when someone accidentally enters their credentials on a phishing website, which is then leaked on the darknet. That’s why it’s crucial to invest in a dedicated password manager.

So, it’s no surprise that the most used NordPass feature among Zettasecure clients is the Data Breach Scanner. It allows companies to catch whether any of their email domains or passwords have ever appeared in a data breach. If such data is ever found in a data breach, the company gets timely alerts so they can act quickly to mitigate the cyber threats. NordPass includes the Data Breach Scanner in all of its Business plans without any additional cost.

Philipp says that it allows their customers to save thousands of euros if they notice that their data appeared in a breach so they can act proactively to prevent their credentials from ending up on the dark web. MSSPs, as Zettasecure, can also monitor the security health of their end-users through the MSP Admin Panel and alter their clients if needed.

A password manager fit for an MSSP

When choosing which password manager to partner with, there were a few decisions why Zettasecure chose NordPass:

• Zero-knowledge architecture: NordPass’ end-to-end encryption and zero-knowledge architecture ensure the finest privacy and security standards for MSPs and their clients.

• Activity Log API helps manage client employee access and monitor company activities. For extra security, MSPs can effortlessly import data collected through the Activity Log API into SIEM and then use XDR, a technology that collects and automatically correlates data across multiple layers of security. This enables alerts and immediate response in case of a cyber threat.

• Data Breach Scanner scans the dark web for data breaches involving the client company’s email domains or passwords. If such data is ever found, the client receives a timely alert. This tool is included in all Business plans.

• No hidden costs: NordPass has transparent pricing across all Business tiers for MSPs and their clients.

  So, if you are looking for a way to improve your clients’ security, please reach out to our experts today to learn more about NordPass for MSPs.

Phishing

According to Verizon’s 2024 Data Breach Investigations Report (DBIR), 68% of company data breaches involved non-malicious human elements, like social engineering. The FBI reported that, in 2023, phishing accounted for 34% of complaints, making it the most reported type of cybercrime.

A phishing attack is a form of social engineering in which the attacker mimics a legitimate contact to trick an unsuspecting user into clicking on a malicious link, luring out their sensitive data, or infecting their device with malware. Over the years, phishing scams have become increasingly sophisticated, making it harder to identify them.

There are a few things you can do to secure your business from a phishing attack. First, you need to get the entire staff on the same page. Educate them about the intricacies of phishing and provide avenues to report any suspicious events. You should also enable anti-phishing filters within your company’s email and consider installing additional security software optimized to detect fraudulent emails.

Ransomware

Ransomware hits SMBs at an incredible rate. Datto’s Global State of the Channel Ransomware Report notes that 85% of managed service providers (MSPs) reported ransomware attacks targeting their clients. In the first quarter of 2024, companies with up to 1,000 employees accounted for nearly 75% of all ransomware attacks. In most cases, phishing emails are behind ransomware threats.

During a ransomware attack, data on the affected computer is almost instantly encrypted, making it unusable in any context unless it is decrypted. Once the files are encrypted, the attackers demand a ransom—hence the name—in return for the decryption procedure.

One of the best ways to defend your company’s data from a ransomware attack is by making regular software updates and data backups. Software updates, including OSs, ensure that no security gaps can be exploited by bad actors. At the same time, data backups allow you to be safe even if any of your data is compromised. Another step is deploying company-wide antimalware and antivirus software that can detect any malware before it does any harm to your company’s network.

Viruses

Viruses are perhaps some of the most common cybersecurity threats affecting businesses and individuals alike. They’re pieces of software that, when installed upon a device and activated, start executing various malicious commands.

Viruses can be transmitted to a device via hardware and software. Connecting a suspicious USB flash drive containing a virus to a device is a common strategy for spreading malware. Phishing is also frequently combined with viruses—if a user downloads a suspicious attachment or opens a scam website, their device can be infected.

The damage that a virus causes depends on its programmed purpose. Some viruses might slow down a device and use its resources to mine cryptocurrencies in a process known as cryptojacking. Others lurk in the system, granting access to all inner files without the victim noticing. Keyloggers are a type of virus that can read the user’s keyboard input, allowing them to steal credentials and similar sensitive information.

Businesses are often targeted using viruses that can take over the whole internal network of computers, leading to ransom demands. Trojans, in particular, are dangerous, as they can destroy the entire system from within.

For small businesses, viruses can cause irreparable damage, starting from compromised and lost data to hardware damage and replacement demands. As viruses become increasingly sophisticated, they require more expensive measures than regular antivirus software. They might also exploit out-of-date software with security vulnerabilities.

Preventing an organization’s devices from acquiring viruses calls for similar measures and phishing or ransomware protection. Companies must ensure all devices are up-to-date to avoid zero-day exploits or similar security gaps. All devices should be regularly monitored by antivirus software, and IT teams should be informed if suspicious programs or files appear on the device or if a user has opened a phishing email or website. Companies can also use anti-phishing and anti-malware plug-ins for their email services to prevent employees from accidentally downloading viruses.

Weak passwords

As far as market research is concerned, weak passwords are the biggest threat to cybersecurity for small businesses. Here’s just a handful of studies and reports that reveal password vulnerabilities in practice:

• Verizon’s 2024 Data Breach Investigations Report (DBIR) notes that 77% of hacking-related breaches are linked to stolen credentials.

• NordPass’ study of the 200 most common passwords in 2024 revealed that a whopping 79% of the world’s most popular passwords could be cracked in under a second.

• A study into the password habits of Fortune 500 companies highlighted that even the biggest players out there struggle with password security, with 20% of the passwords being the exact name of the company or some variation.

Ensuring password security in a business environment is not that complicated. A password management solution should be on the company’s must-have list, no matter its size or market. A password manager such as NordPass allows businesses not only to securely store valuable login information but also share it within the confines of the organization. Additionally, it increases employee productivity and helps you meet compliance requirements.

Cloud computing

Cloud computing products are a huge part of today’s business. Nearly all SMBs use cloud-based applications in one way or another, whether for productivity or security benefits. In many instances, cloud computing solutions are highly scalable. However, as helpful as cloud computing solutions are for business IT security, organizations must understand that such products have their risks.

When it comes to cloud-based applications, it is essential to evaluate their security posture. For instance, zero-knowledge architecture is one thing to look for in applications, as it ensures the privacy and security of any data that the application handles. To reap all of the cloud’s benefits, such as scalability, flexibility, and reduced IT costs, SMBs must develop a cloud security plan to clearly define security policies and procedures for using cloud-based applications.

Cybersecurity tips for small businesses

Establishing the right cybersecurity practices in an SMB does not have to be a costly affair. A large chunk of what makes small business IT security function like a well-oiled machine is down to employee awareness and correct credential management practices. Here are some cost-efficient ways you can employ safe practices in your organization:

• Ensure employee education. As you can tell, password mismanagement is a massive problem for company data security. This misuse often stems from a lack of employee awareness. Provide your team with regular training on cybersecurity practices, digital threats, and how to keep themselves protected from bad actors.

• Perform routine security checks. Zero-day exploits are beloved by hackers as an easy way in to systems. The best way to protect your company devices from unwanted visitors is to lock the backdoors by keeping all systems and software up-to-date and running regular checks for vulnerabilities.

• Install a strong antivirus. If you or another employee find a suspicious .exe file on your desktop, the first course of action is to quarantine it. This can be easily done by installing antivirus software on every company-run computer. SMB and enterprise antivirus solutions simplify this process by keeping all computers in the same network protected.

• Add spam filters to company email. Scammers who use social engineering are efficient at producing realistic emails that can trick even professionals. To avoid incidents of opening fishy attachments or logging in to a spoof portal, add a spam filter to your organization’s email inboxes that lets employees easily flag and report suspicious emails.

• Use a password manager. Contrary to popular belief, password managers aren’t just useful for generating complex, unique passwords. Business password managers like NordPass also offer centralized controls, such as setting up password policies, observing all organizational activity, or managing shared access between all employees.

• Enforce multi-factor authentication (MFA). In the 2020s, a password is no longer enough to protect your organization’s sensitive information. To improve their security measures, many companies enforce multi-factor authentication use for all work-related accounts. NordPass Authenticator even lets you store your MFA codes with your login credentials and autofill everything at once.

The logic is that passwords should be stronger when passwords are the only measure between a cybercriminal and your accounts.

The HIPAA Security Rule

The HIPAA Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establishes a standard for protecting electronic protected health information (ePHI).

The Security Rule states that healthcare organizations should follow basic information security principles. In other words, the “confidentiality, integrity, and availability of all e-PHI” should be upheld for all protected health data created, stored, or shared by the organization.

Upholding these tenets involves protection against anticipated threats or breaches. While the Security Rule does not define specific password protocols, proper password policies and hygiene are implicit in many requirements — under administrative and technical safeguards.

In principle, the Security Rule can be met by following the agreed-upon best practices for cybersecurity and information security which, inevitably, involve a strong password policy.

The PCI-DSS password guidelines

The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard that applies to all entities that process, store, or transmit personal and payment information. It consists of 12 requirements. Like HIPAA’s Security Rule and the CIS Controls, it mirrors the best cybersecurity practices that mitigate cyber risk and safeguard data.

Requirement two of the Standard stipulates that businesses should change all default system passwords. Not doing so, the document states, is the equivalent of “leaving your store unlocked when you go home for the night.”

Requirement eight is to “identify and authenticate access.” Strong passwords and multi-factor authentication are encouraged as essential measures to protect cardholder data.

The NIST Password Policy

The National Institute of Standards and Technology (NIST) is a U.S. federal agency that has become a significant authority on password guidelines. The NIST password policy provides several recommendations for creating secure passwords and managing them safely. Unlike traditional advice, NIST focuses on user-friendly policies while maintaining strong security.

For instance, NIST recommends allowing longer passwords (up to 64 characters), supporting a diverse character set (including spaces and emojis), and eliminating periodic password changes unless there is evidence of compromise.

In essence, NIST encourages the creation of unique, easy-to-remember phrases instead of complex, hard-to-recall alphanumeric combinations. Their guidelines further emphasize the need for multi-factor authentication (MFA) as an additional security layer and discouraging the practice of password hinting and knowledge-based authentication questions (like your first pet’s name) which can be easily exploited.

NIST’s comprehensive approach to password security underscores its commitment to balancing user experience with robust data protection. This is why its standards are widely adopted across industries globally.

ISO/IEC 27001

The International Organization for Standardization/International Electrotechnical Commission 27001 (ISO/IEC 27001) is a voluntary certification on information security, cybersecurity, and privacy protection.

Annex A is among the best-known annexes of the ISO standard. It includes recommendations that strengthen data security. More specifically, section A.9 pertains to access control, where you’ll find guidelines for password management.

To protect the confidentiality of sensitive data, the ISO guidelines recommend “strong passwords” and a “password management system” in addition to multi-factor authentication.

Password policy recommendations

All well-known cybersecurity standards recommend using strong passwords and good password management or hygiene. But what exactly does that mean?

Strong passwords

Strong passwords make a hacker’s job difficult. They are complex, long, and difficult to guess. The following guidelines can help to create passwords that meet these criteria.

Keep in mind your password policy should be calibrated by standard password criteria. Otherwise, you’ll end up with a policy that’s impossible to follow. For example, cybersecurity experts say the strongest passwords should allow spaces. However, it’s common for spaces to be prohibited.

Good password hygiene

Good password hygiene also aims to keep your passwords out of intruders’ reach — making it difficult or impossible to steal them and mitigating the damage if they are.

Why password policies (alone) are doomed to fail

There’s a reason it is so common to use weak passwords and practice poor password hygiene. And it’s not a lack of awareness. By now, few among us can claim not to know that passwords like “password” and “123456” represent a security threat.

The truth is that the average user is in a tough spot. You know that you should use strong passwords, especially at work. But the same features that make passwords “good” also make them impossible to remember.

And if you can’t remember them, you have to store them somewhere handy. But unfortunately, this “handy spot” often becomes equally convenient for cybercriminals.

That’s why it isn’t reasonable to expect that penning a policy is all it takes to bolster your business’ password health. Your team members are likely already aware of basic security principles but lack the tools to apply them. On top of everything else, they are likely to prioritize speed over security to get work done.

The Active Directory Password Policy

Active Directory (AD) is a Microsoft product that manages users and computers within a network. The Active Directory Password Policy is a set of rules defined by system administrators to govern password creation and maintenance in an organization.

The password policy generally includes directives such as minimum password length, password complexity requirements (including uppercase, lowercase, numeric, or non-alphanumeric characters), and password history settings to prevent users from reusing old passwords.

The policy also sets a password’s maximum age, forcing users to create new passwords after a defined period. Other considerations might include account lockout policies that disable a user account after a certain number of failed login attempts.

AD provides two types of password policies: the default domain policy and fine-grained password policies. The latter allows different policies for different user groups within the same domain, providing flexibility for different security requirements.

How to set up a password policy that works

With NordPass Business, you can set a password policy at the administrative level that you can implement automatically — offering your team all the support it needs to maintain excellent password hygiene without slowing down the workflow.

With just one click, users can generate strong passwords with the built-in Password Generator and save them just as quickly. When needed, the passwords pop up automatically into form fields thanks to autofill powered by machine learning.

That means you can unburden your team from the mental load of trying to create and remember complex passwords. And from a storage standpoint, your team’s passwords stay safe in an ultra-secure, end-to-end encrypted vault. All in all, credentials are easy to access for your team but entirely out of reach to intruders.

Members can conveniently and securely share multiple passwords and other sensitive data stored in their vaults with various members at once using the Groups and Shared Folders features.

Meanwhile, you can monitor your team’s password progress with a bird’s-eye view of your company’s Password Health metrics, with a rundown of all vulnerable (weak or reused) passwords that can compromise your cybersecurity.

Avoid choosing between security and convenience. Instead, implement a password policy that works with NordPass Business.