The #1 Data Security Threat to Business: Your Employees
Every business runs a certain amount of risk having employees. Retail stores know that employees often steal as much or more merchandise than shoplifters. Logistics companies have to constantly monitor employees to make sure that shipments and packages make it from Point A to Point B. Companies that have proprietary data also have to be vigilant to prevent employees from walking off with valuable data.
There’s a big difference between data security and other types of companies. By and large most employees are good people that don’t intentionally steal. You rarely have to worry about accidental theft or loss for many companies.
If your company, however, depends on data you are at risk for two types of hacking. Normally we think of hacking as teenage computer nerds with mad skills pounding away at keyboards with a rack of supercomputers in their basement. What makes for a good movie is not very realistic. Yes there are organized groups of hackers looking for security gaps in firewalls, etc. but when a particular companies targeted usually the hackers look at the least secure point of entry, your employees.
Ironically, your basic email password, one of the oldest and simplest forms of electronic security, is the most popular attack. Gaining access to an employee’s email means that frequently the hacker can gain access to everything the employee can see, hear, or do.
Three Super Easy Hacks
The easiest way to get it… Just ask. Security firms will tell you that a remarkable number of employees share passwords among themselves or freely give passwords to other individuals that appear to need temporary access. If I’m a hacker I’m just going to tell you a reason that I need your password to “make an adjustment to your terminal” or “update your security software” (an ironic favorite).
The second easiest way… Don’t bother asking, just look around. Additionally people are notoriously bad at changing passwords regularly, or sometimes even changing them from the default. For example most routers off the shelf today use the same home network IP address to reach the administrator settings. Fresh out of the box the router password could be ADMIN. If that doesn’t work, simply look on the bottom of the router. The default password is often attached via a sticker. Setup instructions clearly state that you should change these passwords, but over half of people never bother. Anyone walking through your office, with little or no hacking experience, could look at the bottom of your router and gain access to your entire network in a way that would appear completely benign to the average office administrator.
For those that do change the passwords, they will frequently “hide” the password on a sticky note on the bottom of the keyboard, in a desk drawer, or in a text file on the computer called “passwords”.
Ask yourself if I walked into your office today, would I even need to ask someone for a password? There’s a good chance I’d be able to get into network simply by finding the desk with a router nearby, and 30 seconds later I’m in.
The third easiest way to get a password… Just guess. If I know a little bit about you, I’ll try your kids names, their birth date, the name of your husband or cat, your wedding anniversary or, if you have grandkids, it’s a no-brainer… The first initial of each grandchild. If I have your wallet, I’ll add the last four digits on your Social Security card. Even if I don’t, chances are you have a bank statement, health insurance letter, or something from HR on your desk that has your SS# on it.
So how does an employer protect themselves?
- Have a clearly written policy about login or email passwords. Make sure that policy is clear that violation of this password policy is a fireable offense.
- Create an environment where no employee is required to give their password to anyone ever, even another employee. Creating tiered access will give each employee access to the data they need, and each supervisor access to their employee data.
- Develop a small core of accountable people that have access to everything. In general, these are high-level executives, but sometimes it’s necessary to give IT people broad access. In these cases make certain that your IT people realize that they are responsible for any and all breaches of company data. Data loss will result in unequivocal termination, and malicious data theft will result in criminal prosecution.
- If an employee is ever asked to reveal their password, they should report the request up through the chain of command.
- Require that periodically all passwords companywide are changed. Most security software today can require people to change their password every 30 days.
- In areas where data loss can be particularly harmful, you may consider two-factor authentication or biometric authentication. These systems require additional hardware and software but are surprisingly economical today.
Did you know?
A six character password using only lowercase letters has 309 million possibilities. This may seem like a lot, but a random character generator could easily crack the code in less than five minutes.
And eight character password using upper and lower case letters, numeric digits, and special characters gives you 4.7 quadrillion possibilities. The same random character generator would crack the code in approximately 149 years.
What Equifax has taught us.
What we know now is that the Equifax hack used an unpatched server bug to navigate through millions of financial records. However, it’s reported that to gain access to the server, the hackers needed an employee password. When tracing back to its origin, investigators discovered that an individual with high level of security in an office in Brazil had failed to change the default username/password combination. Username ADMIN/Password ADMIN. They probably kept it simple so it would be easy to remember and share among other people needing temporary access. Worse, the individual was in charge of branch security, and potentially toppled a multibillion dollar organization.
How to Create Strong Passwords
Here are some guidelines you can use to teach your employees how to create a strong personal password. After that, the responsibility lies with the business owner to create and implement solid security protocols regarding employee login access and email.
- Do: Passwords should always be a minimum of eight characters.
- Do: Use at least one capital letter.
- Do: Use at least one lowercase letter.
- Do: Use at least one numeric value.
- Do: Use at least one special character (i.e. @,!,?,&,$,%,*, +, >, <)
- Don’t: Use the name of your pet, your child, or your significant other
- Don’t: Use your first name, last name, or initials
- Don’t: Use the words “password”, “admin” or your company name
- Don’t: Use your birthday, your anniversary, or your child’s birthday
If your organization would like to learn more about website or internal data security, don’t hesitate to call the Mediastead team and ask for a free data security consultation.