Recently, the security company Ring has been plagued with reports of "hacks" into its popular security camera systems. While it would be easy to just blame Ring for their lack of security, unfortunately, in this case, the users also share some of the blame.
Via a simple brute force attacking method, hackers were able to take email and password lists from other breaches to gain access to Ring cameras. By allowing users to set passwords that are known to have been compromised in other breaches, and not requiring two-factor authentication, Ring is leaving the last level of security up to their users. Unless you're a security expert, you may not see the problem until it is too late.
When faced with a security breach at Evernote, my team and I made the difficult decision to reset all of our users' passwords-- at the time, that was around 50 million of them. The decision was a no-brainer to us: it was the only way we could be certain to protect the data of the people on our system. We faced a lot of backlash from our users who wanted to keep or return to their original passwords, though.
To that end, here are some quick rules of thumb you should keep in mind to keep your business-- and yourself-- protected.
Use unique passwords.
I get it. When you're in a small business, often you want to save money by purchasing one account and sharing a password to it amongst everyone in the business. And then you email this password back and forth to each other to make sure you have it. You can deny it all you want, but I guarantee you have at least one password that you're using that isn't unique.
Enter the app 1Password. Not only will it allow you to automatically generate random passwords to each site, but it will also give you the ability to see which passwords have been compromised, which have been reused, and-- if you must-- share them to team members straight from within the application.
Think before you click.
One of the worst things I hear in my company is "I clicked on this link and..." It doesn't matter what the rest of the sentence is; it's almost always bad and takes me hours to clean up the damage.
If you are suspicious about a link in an email, don't immediately click on it. Hover over the link, or right-click and copy/paste it into a browser. This will prevent you from opening any suspicious links directly, and also allow you to see if the link matches what is presented. Some legitimate sites will add tracking codes, so what you're looking for is the domain. Links might also lead you to .exe files or .dmg files. If you are not expecting to download a file from a link, this could be an attempt by a scammer to install a virus.
Leave no trace.
And lastly, if you're no longer going to use an account, close it down and completely delete it. Just because you're not using it anymore doesn't mean the scammers won't find it and use it against you. That password that you used years ago may lead them to the one you're using now.
With these quick tips, you can protect yourself from irreparable -- and expensive - harm.