We need to talk about passwords.
Doctor Digital Says
I'm not even waiting for a question to come in from a beloved Tasmanian business to prompt this week's blog post. I'm front footing because we need to talk about passwords. What has motivated this little chat between you and I? A massive security breach involving some of the biggest names in business and government, that's what.
Since Doctor Digital has been working to ensure that Tasmanian businesses have the best, most up-to-date advice on how to maximize their participation in the digital economy with minimum stress for nigh on a decade now, year on year I've been doing posts about cybersecurity. What is the constant in these missives? It is the small, simple things that bring business undone. You know, like passwords.
Some background: late in 2020, there was a big news story about a massive global security breach. It involved words like 'foreign actors' and they weren't talking about The Rock being in Australia filming his latest blockbuster. No, it was referring to a data theft incident with a company called Solar Winds, allegedly undertaken by Russian hackers. As a supply chain partner, the Solar Winds breach impacted nine US Federal government agencies and over 100 businesses, including Microsoft. How did they get in the back door to compromise these big players? According to the current investigation underway by the US Government, it was through a password set up by former intern: Solarwinds123.
Undoubtedly, Solar Winds had a dedicated in house security team and all kinds of policies given the type of businesses and agencies that were their clients. But no amount of security is going to help you if you've left the front door open and your attack dog is at doggy daycare. My point is that a simple password is a single point of failure that can massively compromise your business.
Think Russian hackers aren't interested in your boutique Tasmanian business? You're probably right, but the types of data breach attacks are usually ones like the SolarWinds event that sweep up a stack of unsuspecting businesses in their wake, or are just malicious and disruptive by nature and are looking to cause a DDoS or Distributed Denial of Service to your business. Which might mean you can't use your POS for a day, or your website gets shut down, or your mailing list gets hacked, which may lose you thousands of dollars and customer trust, which is priceless.
The call to action here is do an audit on your digital security. Who has access to your passwords, how often do you change them, are you using a complex password that is unhackable, or is yourpetsname123 still your go-to? Time to use our Digital Ready checklist to deep dive into everything you need to make sure your business is safe:
- No unknown downloads. Make a rule against downloading files from unknown senders.
- Check your Firewalls. Make sure everything is up-to-date on all machines.
- Use current virus protection on all devices. Keep it current and updated whenever new patches become available.
- Insist upon strong passwords. Weak passwords are like an open door to your business.
- Update your operating system regularly. This is especially important when new security patches come out. Many computers do this automatically, but make sure you have the auto update function turned on so you don't miss out.
- Use a virtual private network (VPN). These connect you to the web with an encrypted connection so data being shared online can't be seen by third parties. VPN providers offer secure data connections between remote workers and your network too, which can be especially helpful if you send workers into the field (for deliveries or repairs, for example).
- MFA/2FA. Enable multi or two factor identification on all devices and accounts where it is offered.
- Make sure mobile devices used for work are secure. Don't store important passwords on any mobile device. Learn how to use remote wipe capability on your phones and tablets.
- Disaster recovery plan. Not having a plan is a disaster. By thinking through the critical elements of your business that could be compromised, and what the damage may be, you can apply the fixes and antidotes before anything happens - and have a plan of attack when it does.
- NDB (notifiable data breach). Never send sensitive data unencrypted and unsecured via email - physically control who has access to the data/file. A document containing personally identifiable data or medical records for example should be transmitted via a password protected PDF (or equal alternative) as a minimum.
The main thing to remember? As that poor intern from Solar Winds who has now been well and truly thrown under a bus from the highest level is all too aware, people are flawed. Yes, even you. So don't assume everyone in your business is doing the right thing, and be actively alert and across your staff, their actions and all elements of your business - plus ensure you give them adequate security training so everyone is on the same page and password.
All too hard? Contact our Digital Ready Hotline 1800 955 660 to ask about being put in touch with a Cyber Security expert for assistance. There is also a new ASCS cybersecurity assessment tool available to get you started.