Let’s Talk About Passwords
One basic or re-used password from a single member of staff could prove disastrous for your organisation, so, let’s talk about passwords.
Earlier this year, an employee of mine at Best Practice received an email from me asking them to head down to the nearest supermarket and purchase $500 of gift cards. The bluntly-worded email set off an alarm bell for that staff member who instantly questioned the motive - and identity - of the sender. They also provided links to a site that mirrored Google’s password change page which, of course, asked you to provide your old or current password before you could change to a new one.
Thankfully, instead of blindly following the request, the member of staff contacted me soon after to confirm that the email was what’s known as a phishing attempt with a fairly good attempt at social engineering. The account was a spoofed account, one created to mirror my work email, but with a few small differences, and while they weren’t successful in their attempt, this may well have fooled and unwitting or over-worked individual into handing over their work password to a third-party who would then have access to the entirety of Best Practice’s IP, client data and sensitive information.
It was a close call, but thankfully the time and resources invested into training our staff with cybersecurity procedures had paid off dividends in terms of keeping our organisation safe, and the information that our clients have handed over, secure. In light of this, I think it’s worthwhile taking some time out to talk about the state of passwords, and how disastrous one foul-move can prove for your organisation as we move into 2020. According to LastPass, “80% of data breaches can be traced to weak, reused and stolen credentials,” and just last week, Microsoft revealed that more than 44 million of its users have had their log in credentials breached by a third-party. That’s in addition to more than 2.7 billion email and password combinations that were listed online in a massive leak that we reported on recently over on our blog. There’s a dark but highly lucrative economy for log in details that cybercriminals are cashing in on. The potential for a malicious third-party to cause harm to your organisation is massive, and something that should never be underestimated.
It’s hard to stay ahead of hackers, but it’s not impossible. The problem for most individuals and organisations alike is that ignorance and even a sense of invincibility and creep into business-as-usual, and the hackers are well-aware of this, too. Even if you’re a relatively small operation, if an outsider was to compromise your systems and access your private information - and that of your customers and suppliers - the damage can often prove irreparable to an organisation’s reputation and bottom-line in the wake of a cyber attack. So then, how can you stay protected? Well, there’s a few popular means to ensure the integrity of your passwords.
The first, and arguably most important step is to educate everyone in your organisation. You want to impart both the extent of the problem, as well as the reasons why your organisation is doing what it’s doing. For the older members of staff, this might not be apparent from the get-go, so it’s essential to let them know why they need to take this seriously, too. If they were to realise just how easily their account could be hacked, and how detrimental this can prove for the entire organsiation, they’ll more than likely change their behaviour as you move into the future. While this is technically a digital dilemma, it all stems back to basic human psychology that hackers are aware of, and capitalise on. Most people usually just aren’t aware that a single compromised password can provide a clear point of entry for a third-party to cripple an organisation regardless of its size.
Now, we move to the organisation’s responsibilities, which include a commitment of time and resources into developing a robust set of security measures. An information management system like ISO 27001 is a great example of this, and perhaps most importantly of all, it’s rooted in the belief that there’s no such thing as perfect security. While this isn’t necessarily an inspiring ethos, in the context of data protection, it’s just about as close to reality as you’re going to get. Organisations that operate believing that they’ll be fine are usually some of the first to fall- and they fall the hardest.
In your organisation, you want to enforce a set of policies and inspire a culture of security. Provide your staff with a contact person who can impart this and provide any resources necessary for their learning, and ensure that your staff are changing their passwords regularly in-line with modern standards; a mixture of characters, numbers and symbols that don’t necessarily make any ‘sense’, that will complicate the task for any hacker attempting to guess the log in credentials of an employee in your organisation. I’m under no financial incentive to promote a password manager, but I will add that they’re a good way for your organisation to keep passwords extremely safe, but equally as accessible for multiple log ins for daily tasks.
In wrapping up this conversation, the most important thing to impart, I believe, is that complacency is one of the most dangerous forces at play here. From personal experience, there’s few sadder things than seeing a small business face the pain of a cyber breach and the subsequent loss of customer trust and reputational damage in the aftermath of a breach. It’s a cliche to end on, but you simply cannot wait until it’s too late to learn this lesson. Keep on top of your passwords, and don’t make a hacker’s day easier by reusing passwords across multiple accounts; particularly company accounts that provide entry to your organsisation’s valuable data and intellectual property.
We as managers have an obligation to our staff to impart the importance of this, and enforce a strict set of policies to keep the confidential information that our clients - and even employees - have handed over exactly that- confidential.
Thanks again for your time, I’ll see you in the next piece.