2014 was a big year for hackers and their victims, resulting in billion-dollar losses for bosses and long faces all round for IT personnel. What’s worse, however, is that 90% of data breaches in the first half of the year could have been prevented. Correction: easily prevented. This, according to the not-for-profit Online Trust Alliance (OTA).
My Bad, Your Bad
Hackers are typically the bête-noires of choice when listing a business’s cyberthreats, but OTA found that only 40% of data breaches involving the loss of personally identifiable information (PII) were caused by external intrusions; 29% were caused by employees, due to a lack of internal controls; 18% were attributed to lost or stolen devices and documents; and 11% to social engineering/fraud.
We know that to err is human – even the best of us can lose a device, or a document, or get duped by social engineering ploys - but ‘lack of internal controls’?! That is breaking bad!
On the positive side, there’s an opportunity for improvement…
Cyberstrategy: 12 Recommendations
A collaboration with stakeholders and OTA has resulted in a 12-point ‘critical’ practices checklist which business owners and IT decision makers should adopt when designing their cybersecurity plans:
- Enforce effective password management policies.
- Run user accounts on the lowest possible permissions.
- Use multi-layered firewall protection, anti-virus software, and disable default locally shared folders.
- Conduct regular penetration tests.
- Require email authentication, inbound and outgoing.
- Implement a mobile device management system.
- Real-time monitor the network infrastructure.
- Use web apps and firewalls to detect and prevent common web attacks.
- Permit only authorised devices to connect to wireless networks.
- Implement Always On Secure Socket Layer (AOSSL) protections for servers.
- Review server certificates frequently.
- Develop a data breach response plan.
Effective Password Management
Notably heading up the list is the recommendation to enforce effective password management policies. Creating an effective policy surely has to start with an effective password.
Sadly, like most humans, employees are very good at doing very bad things when it comes to password security. It’s not done through malicious intent, necessarily, but just through simple ignorance of the consequences for their employers. Mostly, though, it’s because it’s easier to create and remember weak passwords than it is to create and remember strong passwords.
Add to that a lack of understood responsibility on their part to protect the business systems they work with, and you have an accident waiting to happen.
Dos and Don’ts For Passwords
The responsibility for preventing data breaches is a joint venture, with business owners and employees collectively needing to address the threat posed by poor password habits. There are a handful of easily achievable dos and don’ts for the two parties to undertake:
Employees:
- Don’t store passwords on written notes, in devices, or on browsers.
- Don’t use the same password at home and at work. If hackers crack a personal account, they will snoop elsewhere.
- Create different passwords for each business account to limit the spread of damage.
- Don’t use personal information to construct passwords e.g. a pet’s name, family names, dates, or anything visible on social media pages.
- Don’t email unencrypted passwords.
Business owners:
- Do stipulate a minimum of 15 characters for passwords: length = strength.
- Do test for the inclusion of numbers, special characters, and mixed case letters.
- Do provide a strength meter to help gauge good vs weak passwords.
- Don’t expect employees to remember their passwords: provide a password manager to enable employees to safely store their list; they need only recall a single phrase.
The Threat Within
Hackers will continue to plague the business world - 2014’s epidemic stands testimony to this - and despite the hardware and software security tools that are available, they still make business owners shake in their boots.
It’s a relief to know, then, that much of the risk can be mitigated by taking control of the threats within your reach. Prescriptive password advice for your own employees is a good place to start.