Often in the United States, we hear of the ‘global economy,” although cyber security news from around the world is not often published in the US. Yet, with our inter-connected global economy, cyber security risks are real and as we do business with partners around the world, it is essential to identify and understand those risks.
For example, consider Ireland, once an up and coming “Celtic tiger” with a strong technology base and while not yet recovered to the happy days before the 2008 recession, currently has a recovering economy and red hot market in Dublin. Yet, according to the Irish Independent, the fourths of Irish companies are overly exposed to data breaches and a good 20% have been breached within the last year. Worse, the majority of companies, (two thirds), allow staff to access confidential information from personal devices.
One thing is certain for both small businesses and consumers; we cannot rely upon companies with which we do business to reliably safeguard our private data. Of course, these companies are liable in the event of breach, but the cost to a small business or consumer in time and aggravation to deal with the aftermath is extensive.
Most interfaces to companies involve a user account and password, often tied to an email account. When resetting a password, the new password is often sent to the associated email address, which is inherently insecure. While it is true that such password resets require one to change the password immediately after login, if the email address is compromised, then the security protections are moot.
Most hackers initially seek credentials, and once credentials are obtained, then seek to access other resources, such as business information, customer account data, or in the case of consumers, banking data. Because of the weak link of email and username/password combinations, it cannot be stressed enough that due care should be exercised focusing on two important points:
- Use a different username and password combination for every site. Repeating the same username and password combination across multiple vendors increases the likelihood and impact in the event the account is compromised, because instead of compromising one account, the same account can now be leveraged at other sites.
- Use a different password for each site and account, and ensure that the password is a pass phrase with at least 15 characters. While not impossible to break, 15 character pass phrases take much more time and increase the odds of detecting the breach before substantial harm is done.
We can never be assured that we will not be victimized by a breach, and in fact, ca guarantee that at some point, we will be breached. However, we can avoid being the “low hanging fruit” by adopting the common sense approaches above, and extending the time we have to detect the breach before we suffer adverse impact.