We can all agree that 2017 was a brutal year for cybersecurity.
Verizon’s Data Breach Investigation Report identified passwords as the root cause of more than 81 percent of breaches in 2016 – an 18 percent increase from the previous year. And, it’s a safe guess that this year, the percentage will grow. At last year’s Blackhat Cybersecurity conference, Alex Stamos, the chief security officer of Facebook, reported that passwords are one of the biggest security challenges Facebook faces.
Cyber attacks been dominating headlines even since before the DNC hack. It’s time for widespread adoption of a secure and convenient replacement for passwords. However, we’re unlikely to see this happen within the next few months, so here are some protocols you can adopt to help your company from becoming a statistic.
1. Eliminate passwords in your business
If you’re not part of the solution, you’re part of the problem.
Alternatives to passwords do exist. Adopting them has many valuable benefits to your company and your customers. Since most other companies are still stuck in the past with obsolete passwords, you’ll not only stand out as being on the leading edge of innovation, but protect your business from the single biggest cybersecurity risk and, in the process, show your customers that you care about their security. Ultimately, you’ll improve your customer experience, satisfaction, and retention rate – while also eliminating a common obstacle to people who may otherwise wish to purchase the products and services you’re offering.
2. Use a strong password manager
If you remember your password, you’re doing it wrong.
When Bill Gates declared the password dead, it was basically an observation about the reality of Moore’s Law. Computing power today is great enough that any reasonably memorable combination of letters, numbers, and special characters that you can come up with could easily be cracked. From a security standpoint, if you can remember your password, then it’s probably a bad password. Rather than stump yourself trying to come up with something simple which meets the frustrating sets of common rules, it is way easier to let a password manager generate a random string of characters for you.
Additionally, it’s critical that you’re using a different password on all of your accounts. Typically, when one company is breached, hackers will use stolen credentials to try accessing accounts at other sites/companies. By using the same password for everything, you’re creating a serious risk – both for yourself and to people who connect with you through those accounts. The average person has more than 100 accounts protected by usernames and passwords. As though remembering all those different, complex passwords isn’t hard enough, it’s also a good idea to change them all regularly. Instead of trying to remember them all, keep them organized somewhere really safe – a password manager, not a notepad.
Not all password managers were created equal. If passwords are terrible security, then think twice about using a password manager that uses a master password to protect all your other passwords. Additionally, if the password manager doesn’t offer two-factor authentication, don’t even think of using it.
3. Enable two-factor authentication
Turn on two-factor authentication (2FA) everywhere you can. However, keep in mind that not all 2FA is created equal. In fact, the National Institute of Standards and Technology recommends against using SMS for 2FA. If your business is doing that, you should really switch to something more secure (and convenient). If it’s someone else’s business, take a second to point that out to them.
4. Be cautious of biometrics
Biometric technology is useful, but definitely has its own flaws and limitations – particularly with respect to implementation.
One-to-many systems can help identify people out of a crowd, but the error rate is unacceptably high. This means biometrics should never be used as the first step for authenticating people to allow them access to sensitive accounts, information systems, or physical areas. These systems also require you to provide “something you have” to look up your existing biometric scan and start the direct comparison process. Be cautious about how the biometric scans are being stored. Are they kept only on the device itself, or centralized in a massive data set in the cloud that’s vulnerable to hackers?
5. Remember old e-mail accounts
Most people have more than one e-mail account, and some of us have accounts we no longer use. If forgotten, those accounts could pose a risk to your current accounts.
For example, is your old account set as a backup for your new account in case “you” get “locked out” and (a hacker) need(s) to reset the password of your primary account? Also, did you ever forward e-mails from the old account to the new one? Is there any old information lingering in that old account that could be used against you in one way or another? If you answered yes to any of this, you should be applying the same security practices to that account as your current primary account.
Remember that a company e-mail address belongs to the company, and if you leave, they have no obligation to delete the account, and can continue checking it for business continuity purposes. Don’t open yourself to security risks by listing employee e-mail addresses on your personal accounts and receiving personal e-mail at your work address.
6. Segregate and externalize user data from user management
For a while, it was popular to collect as much data as possible about users, since detailed data can help executives make well-informed business decisions. However, the more data that is collected, the more dangerous it becomes both for the business and its customers. It’s possible for businesses to build data sets about their customers without actually linking the data sets to sensitive personally identifying information.
Ideally, the most sensitive data (HIPAA, GPRD, and PCI DSS) is externalized. The business might need to see this data at critical moments to process transactions or provide service, but that doesn’t mean the business itself needs to store that data internally.
Chances are, dealing with that kind of sensitive data is tangential to the actual mission of your business. Securing it isn’t the top business priority, and this is exactly why you shouldn’t be storing that data to begin with. Rather, entrust it to external security experts who have the sole mission of protecting it. It can be available to your company during the short instants when needed, but not be your liability to worry about during the other 99 percent of the time.