A recent post over at Sophos’ Naked Security blog points to a study claiming that almost half of all American adults have had their personal data hacked in the last year. While the study seems to flawed and plagued with some “interesting” assumptions, it does raise some pertinent questions.
Security picture from Shutterstock
The most fundamental element of most corporate security is the username and password. And we know that many people use the same password for many services. Even if your users aren’t using the same credentials on their personal services as their business accounts, if their personal details are accessible to hackers, then it might be possible to use that information to infiltrate your network.
It’s easy to focus on the recent hacks at Target and eBay as well others in the past with Evernote and LinkedIn as being purely about credit cards and social media credentials. The trouble is, passwords are generally pretty hard to remember so users resort to tactics such as password reuse or making passwords out of personal information that’s easy to recall.
What’s the answer?
Two-factor authentication is becoming increasingly common and better understood by users through parties like banks, Google and Apple employing different forms for their systems. That offers a path forward.
While two-factor might not be convenient or is too expensive to employ for all user accounts, it might be worth considering it for high-risk accounts such as system administrators.
The new way of looking at security is not to put all your eggs in the prevention basket but to consider the points of risk and focus on mitigation. That might mean considering all user accounts to either already be hacked or that they will be if you continue using traditional username/password authentication.
‘Half of American adults hacked’ in the past year – really? [Naked Security]
Comments
3 responses to “What Does It Matter If Everyone Is Hacked?”
And how long will it be before we see tools written that analyse leaked data and start forming predictions about you?
Even if you use different passwords on different sites, if your passwords contain any personal info (e.g. your cat’s name), then it wouldn’t be too hard to ‘join the dots’ with other stuff like popular pet names and send you spam about your love of cats, even if you don’t use the internet to look at cat pages or photos.
If I started getting “spam” about things I was actually interested in, would it still be spam?
Well, even if so, the tool has to be very very good as most accounts lock after 3 attempts. Nonetheless an interesting though.
So, why does it matter if everyone was hacked?