Once again the popular media is abuzz with stories of hacking. Most recently the dating site eHarmony was hacked probably by the same perpetrators that hacked LinkedIn, the “corporate” social network, exposing six million user passwords.
Six million!
A few months earlier, SONY, the one and only, was hacked twice. The first incident, which they initially kept quiet, was heralded as the “largest identity theft in history” with hackers stealing credit card numbers, and e-mail address. Then, a few months later, it happened again. At least, the second time SONY promptly responded with a blog entry alerting the users of the breach.
But, back to LinkedIn, and its six million password theft: Embarrassing? You bet. Expensive? You can’t imagine. LinkedIn is getting sued over the incident, and the cost of defending the lawsuit alone is projected to run high. And, that’s excluding any inevitable settlement. As Jeff John Roberts puts it in his June 19th article “The case is likely to turn on whether LinkedIn did enough to protect its user accounts and whether it did enough to notify users of the hacking incident. The breach was first reported by a Norwegian security firm and then publicized by numerous technology sites but LinkedIn appears to have dithered for more than twelve hours before telling users that data had been compromised.”
Dithered for twelve hours! Now, there’s a long runway…
But wait! There is more! These days hackers (who incidentally tend to be extremely good at what they do, frequently brilliant programmers, and practically always a step ahead of the “white hats”) have devised yet another way to phish. “Poisoned search results” is a technique that uses expertly built web sites that look and feel “real,” showing you meaningful results to your query in Google, Bing, etc. They are nothing other than bait, and the fish is you. The minute you enter your personal information, you’re done. According to Blue Coat, an internet security firms, poisoned search engine results are the number-one malware threat on the web. Worse, according to the Anti-Phishing Working Group, nearly 40% of the world’s computers are thought to be infected.
What does this mean to you?
As I have argued before, you ignore technology at your peril. No matter what size company you work in, technology and cyber-security is not a “buy it and forget it” investment. You need to be involved, ask the right questions to your IT team, and stay engaged with them. There is no plausible deniability here. There is no “The IT people are responsible for that stuff…” It is your neck on the line.
The first step is to educate yourself. That will help you ask intelligent questions, and recognize evasive answers when you hear them. On cyber-security, start with the easy-to-digest tips from the Department of Homeland Security. Yes. Your government at work! Thankfully, the government is taking cyber-security very seriously, and despite fits-and-starts, there are many efforts across agencies to secure government data and to build the nation’s capacity for cyber-warfare.
The second step is to educate your firm. Engage with your technologists. Understand the risks. Identify how and where your data (including client data) is stored and protected, and who, what, and how it is accessed. Create a special section of your intranet dealing with cyber-security, and alert your employees to it. Sponsor an in-house seminar or webinar addressing the issue. Retain outside expertise, for it is unlikely that your own IT team can ever be on top of this matter, and have them audit the site, recommend tools, and train your people.
The one thing you cannot do is nothing. You have twelve hours…