I’ve written about it before, security breaches allow access to personal data. No business is safe. When the ‘big guys’ get hit, it makes the evening news. When it happens to a small business or an individual, it can still be devastating.
The recent Yahoo hack exposed one billion accounts. That’s one-thousand-million users who got their data stolen. What’s really bad about this second exposure at Yahoo is that not only did user names and passwords get out, but also those security question answers. Oops.
With that in mind, here are some tips on how to make your data and your business’s more secure.
In my opinion, the whole idea of a security question as a way to recover forgotten passwords or accounts is just plain stupid. As Sarah Palin found out during the 2008 elections, just about anyone can find out enough about you to answer the questions usually asked and sure enough, her email account was hacked. Which, of course, means that just about anyone can get your data.
So, what can you do about it? Lie.
Yes, lie when you enter answers to security questions. If the vendor asks for your high school, enter your college. Enter your father’s middle name when asked for your mother’s, etc. The trick, obviously, is to be consistent so you don’t trip yourself up. You might even consider entering the first of your birth month as your birth date, for example, when registering with most sites. After all, you will still get your free birthday desert at the local restaurant if you keep the month correct but might save yourself grief if the restaurant rewards program gets hacked and your birthday gets out.
The ‘keep it simple’ premise can be utilized in your business. Don’t ask your staff, your vendors or your customers for data that you really don’t need. Remember, once you have that data, its safety is the responsibility of your company. That also means the liability for a breach is on your company as well. Maybe your marketing people say sending a birthday greeting or your sales staff knowing a customer’s anniversary is a plus, but does it really matter if you know the exact day? Would more general data serve the same purpose with lower risk?
Remember, the adage of ‘change your passwords frequently’ is not to protect you, the customer, it is to protect the ones holding that data. Obviously, the best security is to come up with a password very hard for someone else to figure out, but that you can memorize. Constantly changing passwords, do the opposite. People forget them because the most secure and meaningful ones have already been used. Therefore their passwords become simpler and simpler and in most cases end up written down on Post It notes, where a cleaning crew, employees, visitors, or family can easily see them.
The reason password changes are crammed down your throat is due to a valid worry that the data holder may have already been breached and doesn’t know it. Changing the passwords regularly renders the stolen data useless, which does protect you, but it’s really done as an attempt to reduce the holder’s liability.
One way to protect yourself with regards to frequent password changes is to come up with some formula only you know which allows a memorizable password, but also makes it unique at every place you use it. For example, say you decide your ‘master password’ will be the word “memory”. If you have a Yahoo account, make the password “1Memory1-Y”, for a Gmail account, your password would become “1Memory1-G” and for online banking it would become “1Memory1-B”. In this way, you’ve kept the basic password as something you can remember and not have to write down, it includes letters of both upper and lower case, numbers (not just tacked onto the end) and a symbol, all things that are required by most sites nowadays. You’ve already figured out the last letter is the first of the site, but when hackers try your data at a host of well-known websites, it will fail. They are not going to analyze your individual password for a pattern. They are already onto trying the next million easy targets in their list.
Turning to the business side of the equation, customer data stored on your systems should always be secured with multiple levels of security, which include hardware firewalls, passwords (or better yet, biometrics), endpoint protection, and security training for your staff. All security products should have update subscriptions and only administrators should have access to install software. Every user should have their own unique passwords and your employee manual should make clear that sharing passwords, or using another’s account could be a fireable offense. Don’t ask security questions of your customers. Instead consider having them enter a second phrase, which only makes sense to them, but not one based on a question which could be obtained by a hacker.
Having your personal data stolen is bad, but losing your company because someone stole all your employee or customer data is worse. Take the necessary precautions and consider protecting yourself with a couple little white lies.
I welcome your questions or comments at firstname.lastname@example.org.
Joe Balsarotti is President of Software To Go and is a 37-year veteran of the computer industry, reaching back to the days of the Apple II. Joe, served three terms as chairman of the National Federation of Independent Business’ (NFIB) Missouri Leadership Council, as chairman of the Clayton, Missouri, Merchant Association for a dozen years, chaired Region VII of the Federal Small Business Regulatory Fairness Board, and currently serves on the Advisory Panel of the ASCII Group, an organization of over 1000 independent computer and technology solution providers in North America.