Whether you're at the helm of a huge enterprise or one of the everyday heroes who make the magic happen where you work, there's a simple test to measure how cybersecure your actual day-to-day, digital existence is: Log onto one of your credit card accounts using a device that is unfamiliar to that account.
It's that simple. Your score on this test (and herein lies the most essential cybersecurity lesson in the workplace) is based on the simplest of systems. It's pass/fail.
When it comes to security there is no such thing as getting it almost right. With that, check out how you did on this cybersecurity spot-check:
Pass: You logged in with your user name (which is not the same as your email address) and your unique-to-that-account, long-and-strong or preferably alpha-numeric password, which triggered a prompt for the 5-6 digit code that was sent to your email or (my recommendation) your smartphone. (It's also possible you might trigger security questions.) Either way, congrats: You've enabled two-factor authentication, which suggests you're paying attention to cyber hygiene.
Fail: You logged in with your user name (which may have been your email address) and your possibly long-and-strong, preferably alpha-numeric password (or a silly, easily deciphered one) that is used for several accounts, and gained direct access to the account.
The test illustrates a home truth about cybersecurity: it's people-powered and depends on the maintenance and propagation of excellent individual cyber hygiene.
The single biggest cybersecurity vulnerability facing any enterprise is the people it employs. That vulnerability is aided and abetted by the all too often absence of comprehensive and strictly enforced security protocols. Policy matters.
The Deloitte hack is the latest in a parade of mega-breaches to hit the news this year. The "mega" status is conferred not only by the type of file compromised (Equifax "wins" hands down on that score), but also the magnitude of the possible financial repercussions attributable to an attack.
On the latter, Deloitte may be the fart in the spacesuit. Depending on which report you believe (I tend to lean towards Brian Krebs's version), extremely sensitive data was almost certainly captured by the hacker who infiltrated Deloitte's email platform sometime in 2016. According to Krebs's source, the infiltration may not be entirely resolved--i.e., it could be ongoing.
The issue here for Deloitte, a leader in accounting and cybersecurity consulting, is obvious. Who in the world would consider hiring a hacked company to protect it from hackers? With its $38.8 billion revenue in 2017, Deloitte's sterling reputation has been tarnished and they most likely will lose some serious poundage as a result.
Let's revisit the cybersecurity spot check. At the end of the day, individual cyber hygiene will be what protects or exposes an enterprise to hackers. Whether a person uses two-factor authentication is a decent predictor of other sound cybersecurity practices. The more people on staff who have good cyber hygiene the better the chances of avoiding hacks like the one that got Deloitte.
The only true solution: Learning how to swim with the cybersharks that are everywhere without getting bitten.
Urgency, transparency, empathy
My first question regarding the breaches of both Deloitte and Equifax: How could companies that market themselves as breach protection and response organizations have such inept and feeble responses to their own breaches?
The keys to effective breach response are urgency, transparency and empathy.
Urgency means you don't wait till a reporter calls to start thinking about what to tell the folks affected by your compromise. Your goal should be to take control of the narrative, telling the whole story right away, with the exception of details that law enforcement needs you to keep quiet in order to catch the bad guys.
Transparency goes hand-in-glove with urgency. Say what happened clearly, concisely and completely, and how it could affect people. Keep it factual, and short.
Finally, remember that no one affected by the breach that happened on your watch woke up that morning thinking they might be the victim of a hack at your company. They are going to panic, and they need to know that you're working on solutions, and that you have their back.
Remember they are entitled to their feelings, which most assuredly include anger.
The better the plan you have in place for the eventuality of a compromise, the better all this will work out in the end.
Employers and employees alike need to understand that they are both the first point of attack and the last line of defense against hackers.
The best course of action given all these variables is to change the way you and your employees think about cyber vulnerabilities, and to practice the Three Ms, which I discuss in my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.
- Minimize your exposure. Don't click on suspicious or unfamiliar links; don't authenticate yourself to anyone unless you are in control of the interaction; don't over-share on social media; be a good steward of your passwords; whenever offered, opt for 2-factor authentication; safeguard any documents that can be used to hijack your identity; and freeze your credit.
- Monitor your accounts. Check your credit reports religiously; keep track of your credit scores; review major financial accounts daily if possible (better yet, sign up for free transaction alerts from financial services institutions and credit card companies); read the Explanation of Benefits statements you receive from your health insurer; and seriously consider purchasing a sophisticated credit- and identity-monitoring program.
- Manage the damage. Make sure you get on top of any incursion into your identity quickly and enroll in a program where professionals help you navigate and resolve identity compromises--oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and employers.
In the aftermath of the epic compromise of Equifax and the "retirement" of CEO Richard Smith, no one should "misunderestimate" the wages of inattentiveness to the issue of cybersecurity. Basically, the only thing you get as the result of poor execution on the cybersecurity front is a mess, and your wages could well be extinction.