One of the biggest and most notorious illegal markets in the world was shut down because the ostensible mastermind used his cat’s name as his password. It’s true: Silk Road 2.0, the Darknet market for anything illicit and illegal met its demise because its owner used a weak password. What does this mean for your totally legal small business?
Steven J. Weisman, proprietor of Scamicide.com and a professor at Bentley University points out that “small businesses are targeted a lot because they’re not training their employees in security.” In fact, no amount of security software is going to help you if your employees aren’t trained on security best practices -- or if they’re not interested in following them.
Kevin Jones, Senior Security Architect at Thycotic notes that even with training, some employees will circumvent best practices anyway. Jones gives the example of how some people would wonder why they could only change certain passwords once a day. This was because these applications deliberately prevent users from re-using their last seven or eight passwords. It turns out that when it came time to change passwords, employees were just changing them nine times to get back to what they had already been using.
You wouldn’t be pleased if your employees were mailing their passwords on a postcard or leaving them on a note on their workstation; however, that’s effectively what they’re doing if they’re sending unencrypted emails with passwords in them. Weisman urges small businesses to have programs that encrypt data as well as manage passwords for them, though he points out that you ought to be skeptical of the latter. “I’m so mistrustful that I see password management as a target for hackers,” he says. “You have to make sure that you trust their security,” he says.
Password security goes beyond the workplace. Weisman recalls two recent data breaches at NASA. What happened? Employees had their laptops stolen. The laptops weren’t password protected, the data within wasn’t encrypted – and they were filled with important passwords. “People don’t pay as much attention to their devices, but you have to encrypt all of them,” he says.
Jones says that this is even more important in workplaces with “bring your own device” policies. “BYOD has caught a lot of organizations and IT departments off guard,” he says.
What’s more, it’s not just your employee passwords that hackers are looking for -- it’s more privileged passwords for the entire system. “If you have a critical infrastructure that’s running a website and backs itself up, it often does some kind of computer-to-computer authentication,” says Jones. That might sound more secure, but in fact it’s not; such systems often have infrastructure and architecture that’s all too familiar to hackers.
High quality apps such as Dashlane and Lastpass feature military grade encryption and will generate and manage strong passwords for you, but ultimately your password security is only as good as the people involved. “It doesn’t matter how strong a password is if it’s sitting on a sticky note on their desk or a text document on their computer desktop,” says Jones.