Most companies are not wondering if they will eventually have a data breach, the question on their minds is when. Seagate, Snapchat and Slack are at the epicenter of headlines after phishing attacks and carelessness led to the leak of both company credentials as well as thousands of employee’s personal information.
What happened at Snapchat
February 2016: Cybercriminals went phishing and came home with a whale. Pretending to be the Snapchat CEO, they sent an email to an HR employee, requesting payroll data on their employees. Not noticing that this was an external email address, the employee emailed the data to the cybercriminals, compromising their employee’s identities.
What happened at Seagate
March 2016: Spearphishing tricked a company employee into emailing all current and former employee’s W-2 forms to a scammer. This information includes Social Security numbers, salaries and other sensitive employee information that gives cybercriminals all they need to commit tax return fraud.
What happened at Slack
April 2016: Slack, the popular cloud-based team chat and file-sharing collaboration tool is used by companies of all sizes. Recently, some lazy developers have gotten into trouble for accidentally leaking their firm’s Slack credentials to GitHub, one of the primary public code repositories. Using a relatively simple method, over 1,500 accounts ranging in size from small to Fortune 500 companies were at risk exposing every message from their company chat. Slack has since blocked the exposed accounts, but it doesn’t prevent future programmers from making the same mistake.
What these events have in common: They are predictable and preventable.
6 common practices that make businesses vulnerable to online data leaks
- Using predictable passwords: In 2015 AND 2014, the most popular passwords were “123456” and “password”. Please leave your predictions for 2016 in the comments below.
- Not updating passwords regularly
- Using the same password for multiple accounts
- Employees leaving the company and taking passwords with them
- Employees sharing passwords across non-secure networks such as Facebook, email, Skype. One employee leaving their password-free smartphone in a taxi could open the door to cybercriminals.
- Programmers sharing credentials or tokens on Github
Practices that can help companies stop data leaks
- Regularly run an id/login audit. Any credentials that were used by employees who are no longer with the company should be immediately terminated.
- Educate employees on cyber security basics. Teach them to update their apps and software with the latest security patches. Teach them how to recognize phishing attempts and offer them support.
- Update company policy: Require new passwords every 30-60 days and install a password generator on company computers.
- Boost mobile security – as many companies have a BYOD policy that allows employees to bring their personal devices behind the firewall, malicious apps and software can utilize wireless networks to attack the system.
One Response
I have read that it’s the length of the password, and not how often it is changed or how many numbers and symbols you have that makes a difference. Also not to put a capital letter at the beginning and your numbers at the end of an alphanumeric password. I’ve had sites that don’t allow the numbers at the beginning, which is what was suggested in the article. As far as frequent password changes, that usually results in employees using a password and just changing the number at the end by adding one each time. It’s hard to remember all the passwords you’re required to have when you’re asked to change them constantly.