A recent CNN headline read, “2 million Facebook, Gmail and Twitter passwords stolen in massive hack.” This attack began sometime in October 2013 and was discovered in late November 2013 by Trustwave, a cybersecurity company. How this occurred is still being investigated. What is known is that the users who were compromised had been infected with a keylogger virus. This virus enables hackers to collect every keystroke typed on the user’s computer, including passwords, account numbers, and anything else you enter.
What is most revealing about this attack is the weakness of the passwords of many of the victims. In a list reported by Trustwave, the top ten passwords and the number of victims who used each were rather alarming. Almost 16,000 (15,820) people used “123456” as their password. Other passwords were things like “password”, “111111”, “admin”, and “123”—simple and rather easily guessed by someone trying to hack an account. We can likely conclude that most believed the password was a necessity to have an account, but it was obviously an inconvenience.
As Tim Wilson stated in his article entitled “Generation Y Users Say They Will Break BYOD Rules “ on www.darkreading.com, “In a survey of 3,200 employees from Generation Y (ages 21 to 32), researchers at Fortinet found that 51 percent were prepared to contravene any policy banning the use of personal devices at work or for work purposes.” Maybe, as more of these massive attacks occur, more people will realize the seriousness of a good password and other security measures and not allow their quest for convenience to rule.
What the above reveals is that most computer and technology users are still not taking the warnings about breaches and cybersecurity seriously and they believe that “it won’t happen to them.” Whether they believe this because they feel what they possess is just not that important to bother with, or that the software security they use is providing 100% protection, does not matter. The bottom line is that compromising machines and stealing online information is far too easy for the hackers because we, the users, opt for convenience over security. As stated many times, most notably by FBI Director Mueller at RSA in 2012, “All will get hacked!”
So, what can business owners and those whose job it is to keep information secure do? Educate, educate, educate. Most users believe some sort of security is necessary, but they do not really understand why. They certainly do not understand well enough to believe security should make their lives inconvenient. But think about it. Most people now lock their cars and front doors. This didn’t used to be the case. What happened to change this? Did most of us suddenly become victims of car theft or home invasions? No. We heard about those things happening to others. We were educated. We decided we valued our personal security, so we began to use locks.
It is all about education. The better people understand how easy it is for hackers to get in and steal their stuff and the more they learn what they can do to better protect themselves, the more likely users will be to begin taking security more seriously.
Some of the comments I frequently hear when discussing security or teaching classes:
“I’m not worried about it; I don’t have anything the hackers want.”
“My clients don’t have enough money for the hackers to bother with us!”
“I put all my client files in [a cloud service] because it is easy, cheap, and convenient. Should I be worried?”
“I have antivirus and a password. Isn’t that good enough?”
And, my favorite: “If my identity is stolen, I will just sue someone for losing it!”
At some point we have to take responsibility for our own bad practices and lack of security. Talk to anyone who has suffered identity theft, and you will be amazed at how much security he/she has implemented, after the fact. They have learned the hard lesson.
Let’s start teaching others what they need to know before they become the next identity theft poster children. If you are a business owner, educating your employees and yourself is the best security you can implement.
Do it. Now.