With Halloween just around the corner, I thought it might be a good opportunity to discuss what scares business leaders most. As you may or may not have heard, October is Cyber Security awareness month. A bit ironic since October is also the month of ghouls, goblins and compromised credentials posted on the dark web. But in all seriousness, dusting the cobwebs from your cyber security policies one month out of the year is never a good habit to develop.
I spend a lot of my time scouring through articles and blog posts relating to data security, breaches and new threats that are on the constant rise. Malicious hacking has become a 6 trillion dollar industry. (Yes, that’s “Trillion” with a “T”.) Believe it or not, there are organizations making a lucrative business from mining and reselling compromised user credentials.
In the majority of the articles I have read, initial access into what was thought to be secure network always begins by some type of internal user initiated compromise. These people are smart, very smart. They’re not going to waste their time attempting to breach a system that will take them months to gain access. Remember they’re in this business to increase profit. Just like in any legitimate organization, the goal is to lower cost and increase revenue. Or, find and easier more efficient way to accomplish a goal. If you wanted to gain access to a secure building, how would you get in? Dig a tunnel? Blow a hole in a wall? Why not make it easy, find someone that can let you in from the inside.
Speaking of things that go bump in the night; here’s something scary. On what’s known as the “Dark Web” there are sites that contain lists of compromised credentials that are for sale. Usernames, passwords, addresses, you name it, it can be found and purchased fairly inexpensively. You see it all the time on the news; this site compromised, that service had a data breach. Information gained from these breached services is then sold for a profit. Even better if your organization houses client data that can be gained by the breach.
How do I protect Myself?
I’m sure you’ve heard the old cliché that “a chain is only as strong as its weakest link”. This could not be more relevant when it comes to cyber security. These same malicious organizations that have become profitable gaining access to company data and selling it to the highest bidder, are also using these profits to find new and creative ways to circumvent the new security features developed by those attempting to keep them out.
Knowing that my information could potentially be compromised, how do I protect my most critical data?
Simple, make sure that any information that they may have is irrelevant by ensuring that it’s no longer valid. In essence, change your passwords regularly!
Keep Your Critical Data Safe
Never use the same password that you use for your social media accounts to access your on-line banking accounts. In fact your banking password or ‘pass phrase’ should be only used for that service alone and nothing else. If the same password that you used for any social media service that may have just been breached is the same that you use for your on-line banking, you’ve basically just created a ‘skeleton key’ that can unlock any account.
This also applies to your work credentials. Keep your work pass word/phrase unique and unused anywhere else. Just like your banking passwords, your organization is counting on you to keep your work credentials safe and secure. Your work credentials are the sole method that company data is made accessible to you. Make sure your passwords are safe. Remember, the harder it is to gain access by guessing using your credentials the better.
A recent article I read stated that an 8 character password can be cracked in less than 10 minutes. Adding a “space” to a pass phrase increased this exponentially, meaning they’re going to move on to a softer target. (I’ll get more in depth about pass phrases in a later post.)
Keep Safe, It’s a Jungle Out There!
As an organization we take cyber security very seriously. We’re continuously researching products and services that can help monitor and protect your organization. If you would like more information on these services, I can provide this for you.
Brent Hudson, MBA-ITM