Correct horse, that's a battery staple!

Small business cyber security risks, part 2:

In my last blog in this small business cyber security risk series, we looked into third-party risk and how small to medium sized businesses can manage their exposure. We covered quite a range of concepts quickly, and as I wrote that blog I’d hoped to revisit each one in a little more depth, one at a time. That’s exactly what we’re going to start doing with this blog, and the first concept I’m going to cover is passwords. Yes, I know, it’s not a fun topic, and I just heard a collective groan from all of you as you read that last sentence! Bear with me, please.

In my opinion, the problem with passwords is the IT industry didn’t get it right from the start. Technology evolved relatively quickly compared to say, the automotive or building industries. As consumers, we’ve only had technology that needed passwords since the mid to late nineties. In the business world, some of us encountered mainframes and their “dumb terminals” during the seventies through the nineties, and many of these used passwords that were often attached to the computer terminal, rather than belonging to a specific person.

We can talk all day about why that practice was a bad idea. Imagine a scenario in which one computer terminal used a shared password amongst several staff members working in a bank. Perhaps one of those staff members decided to use the computer terminal to transfer funds into their own bank account instead of carrying out their job (which, back then, could have been to process cheques – remember those?) The computer terminal would send the instructions to the bank’s mainframe, and it would transfer the funds just as it was asked. Presumably at some point in the future the bank would notice funds had gone missing, investigate, and find that someone using that computer terminal had transferred the funds. However, with a password shared amongst several staff members, how could the bank prove conclusively who committed the fraud? The computer terminal can’t “see” who typed the password or issued the fraudulent command!

And just by reading that short story (which by the way I saw many, many times during my past lives!), you’ve covered one of the main concepts in cyber security: Triple-A for Authentication (prove your identity), Authorisation (giving permission to do certain things, but not other things) and Accountability (leaving an audit trail of one’s actions). In our bank scenario, if all the office staff used their own passwords, each of them would authenticate (prove who they are), be authorised to carry out the tasks that match their job description and would leave a trail of accountability behind them.

Now let’s fast forward to the present day. It’s twenty-five to thirty years later, and by now almost all of us have passwords or PINs to activate mobile phones, log in to Internet banking, post photos of avo-smash and latte-art on social media, and, probably, a bunch of other passwords for work-related IT systems too. Or perhaps some of us have one password we use everywhere?

If you’re glancing nervously at this blog thinking “yep, I use my partner’s name and the year for all my passwords”, no need to panic. In the last blog we brushed on the topic of managing risk, and it’s no different here. If you’ve used the same, easy-to-guess password in a few places like blogs that don’t store personal information, credit cards and so on, it’s probably not a big deal. However, if you’ve used the same password everywhere, you could be in trouble if any one of those IT systems are breached. Attackers might steal your email address and password from one of those systems, and then try that same email and password in many other places – like your bank, eBay and social media. Before you say, “who cares about social media”, think about the damage an attacker could do to your reputation (and your business, if you run social media for your workplace).

A quick Google search will show cases of small businesses which have suffered cyber attacks due to less-than-ideal password management. For example, a Hobart-based gift and toy shop faced security vulnerabilities due to staff sharing passwords across different IT systems. Another case involved an Australian women's fashion retailer, which was compromised due to inadequate password policies. Hackers were able to gain full access to the retailer's customer data, which was then offered for sale on a hacker forum. So what can you do to prevent this?

Firstly, use a password manager. There are free and subscription-based products available, and rather than align with any one vendor I’ll simply say: do your research and select a well-known, supported password manager. Another quick Google search will help you there. You only need remember ONE passphrase, and the password manager neatly chooses and then remembers different passwords for everything you use. In most cases it will “take over” the password prompt on your phone, tablet or computer and make your life easier and faster!

What’s a passphrase? I’ll let the often-hilarious XKCD cartoon explain. Passphrases are easier for us to remember, yet harder for attackers to guess! Apart from XKCD’s often-referred-to “correct horse battery staple” example, you can also use a quote or a line from a song as your passphrase.

Secondly, sign up to Troy Hunt’s Have I Been Pwned service. His research in this field is extensive, and in many cases he’s able to inform victims of hacking activity based upon that research.

Lastly, enable “multi-factor authentication” whenever possible. I'm almost finished this cup of coffee so I won't go into details now because I want to do this topic justice, so tune in for my next blog to learn all about it! Many of us are already familiar with MFA (multi factor authentication) because banks have used this technique to reduce financial fraud for over twenty years. Have you ever had to punch in a code from an SMS message, or tap “approve” on your phone while transferring funds? That’s a form of MFA.

In the next blog we’ll talk more about MFA and managing passwords in a business environment, by revisiting the hair salon example from the last blog. While you’re waiting for that, you could get started right now by adopting a password manager and reviewing how many places you’ve reused the same password! Good luck :)