A recent post over at Sophos' Naked Security blog points to a study claiming that almost half of all American adults have had their personal data hacked in the last year. While the study seems to flawed and plagued with some "interesting" assumptions, it does raise some pertinent questions.
Security picture from Shutterstock
The most fundamental element of most corporate security is the username and password. And we know that many people use the same password for many services. Even if your users aren't using the same credentials on their personal services as their business accounts, if their personal details are accessible to hackers, then it might be possible to use that information to infiltrate your network.
It's easy to focus on the recent hacks at Target and eBay as well others in the past with Evernote and LinkedIn as being purely about credit cards and social media credentials. The trouble is, passwords are generally pretty hard to remember so users resort to tactics such as password reuse or making passwords out of personal information that's easy to recall.
What's the answer?
Two-factor authentication is becoming increasingly common and better understood by users through parties like banks, Google and Apple employing different forms for their systems. That offers a path forward.
While two-factor might not be convenient or is too expensive to employ for all user accounts, it might be worth considering it for high-risk accounts such as system administrators.
The new way of looking at security is not to put all your eggs in the prevention basket but to consider the points of risk and focus on mitigation. That might mean considering all user accounts to either already be hacked or that they will be if you continue using traditional username/password authentication.
'Half of American adults hacked' in the past year - really? [Naked Security]