TechRepublic’s Karen Roby talked to James E. Lee, COO of the Identity Theft Resource Center, about the organization’s latest report, 2019 End of Year Data Breach Report, along with ways that people and companies can prevent having their data hacked and their identities stolen. The following is an edited transcript of their conversation.
James E. Lee: We released our 15th report, and we’ve been doing this since 2005. Particularly for businesses, this is a very important report. A couple of things to point out. One is, at the end of 2018, we actually saw a reduction in the number of data breaches, and so everybody was kind of waiting around to see what would happen in 2019. Would they continue to go down? Would they stay flat, or would they go back up as they had been doing for a number of years?
SEE: You’ve been breached: Eight steps to take within the next 48 hours (TechRepublic)
Now, we know the answer: Data breaches were up 17% in 2019, and we’re still getting some stragglers, just now being reported that occurred in December 2019. And for businesses there are some very important trends within those numbers. One is a big new category that we saw emerging in 2019 was not a true data breach per se, but what we’re calling a data exposure, or you may also have heard the term data lake, and that’s where some businesses just forgot to put a password on their cloud environments.
SEE: Top 5 password alternatives (free PDF) (TechRepublic)
There were a number of very large companies with very large amounts of data exposed to the internet if somebody knew where to look. That’s a very troubling trend because it’s not that hard to put a password on your cloud. We hope that that will improve this year, but it is still an important trend to note.
Another thing for businesses is that a lot of organizations just think they’re too small: That “The bad guys aren’t going to come after me because I’m a small business.” I may even be a “solopreneur.” It doesn’t matter. All data is valuable today, and the bad guys will try to get it and get as much as they can.
One of the things they do is they will try to steal logins and passwords, and they’ll get it from wherever they can. Then they will load that into their automated systems and just start pinging accounts anywhere they can find them on the internet, seeing if those credentials will allow them to get in and access accounts so they can steal even more information.
SEE: Hiring Kit: Security architect (TechRepublic Premium)
No matter the size of your business, you are a target, and you need to have strong cybersecurity and strong data hygiene practices to protect yourself. More than 60% of small businesses say they were attacked in 2018 and 2019, so it is an important thing for businesses to pay attention to no matter their size.
The third thing we saw that really impacted businesses in 2019 is what we’re calling supply chain attacks. That’s where, my cybersecurity might be good, my data might be safe that I’m holding onto, but I’ve got a vendor or I’ve got somebody in my supply chain who is a weak link in that security chain. Somebody who is in my vendor community may be attacked, and because they have access to my system through theirs, that may be how the bad guys get into my system and begin to steal my customer data or whatever activity they’re trying to do. They could use ransomware as well as try to actually steal data about individuals.
Those are the key findings from this year’s report that shows, again, the number of data breaches is back up for the first time in a couple of years, and now we’ll wait and see if that trend continues.
SEE: Password managers: How and why to use them (free PDF) (TechRepublic)
Karen Roby: I know you guys talk a lot about hygiene, good practices, so you’d think that people would know we’ve got to have passwords locked down and things like that, but it certainly is worth repeating. Just give us a couple of quick points here on what companies need to do to stay safe.
James E. Lee: Particularly when we’re talking about companies, it all does begin and end, at the end of the day, with people. Because just like when there’s a data breach, every one of those numbers represents a customer or someone. There’s a human being behind those numbers. It’s the same thing when there’s a data breach. There’s a company where that happened, and that company also is a victim, and there are things that both the employees of the company, the team members of the company as well as the company itself need to be doing.
Let’s start with those passwords again. Don’t use your personal password at work. Don’t use the same password more than once, and that’s true both in a business setting and in your personal life. It is a very weak security practice, and that’s why the bad guys are trying to steal logins and passwords today because they know more than 80% of all people use the same password more than once. If they can get that password and that login, they realize they may have the keys to the kingdom.
SEE: How to prevent the top 11 threats in cloud computing (free PDF) (TechRepublic)
Use a unique password every time on a business account and in your personal life. If you can’t keep up with all those passwords, use a password manager. And it’s actually OK today to write down those passwords. Don’t do it on a sticky note and put it on your monitor, but write it down and put that in a secure place somewhere away from your computer. It’s OK to do that if you don’t want to use a password manager. The passwords themselves, they don’t have to be complex, but do make sure they’re long.
So this idea of uppercase, lowercase, number, symbol, that’s not really necessary. The latest thinking around passwords is it’s more about, “Can you remember the password, and is it long?”
The difference between breaking into a password that has six characters, that takes about nine seconds, versus if you have a 10-character password, that can take 9,000 days to break that password. So longer is better and make sure it’s something you can remember–a movie quote, a quote from a book, some saying that your kids passed along to you or you heard from your parents. Choose something that you can remember that is long, and use that as your password. You don’t have to reset it every 30 days because that forces you into those bad habits, of, “I’m just going to use password 1234.” We don’t want you doing that. It starts at both home and at work with good password security, good password hygiene.
For businesses, there are a lot of other things that they need to do. One, if you have a cloud environment, make sure you have a password on the cloud environment. It is nothing more complex than that to start.
SEE: IT pro’s guide to effective patch management (free PDF) (TechRepublic)
But there is more you need to do. If you have moved your data into the cloud or you’re in the process of moving data into the cloud, you’re still responsible for security, not your cloud provider–you are. And there’s a lot of confusion around that, that companies think, well, when I move my data into the cloud, that’s somebody else’s responsibility–no, it’s not… it’s still yours. It’s also still your responsibility to make sure that your software that you’ve put in the cloud is patched and up to date. That would be another step the businesses need to take. Secure your cloud environment, number one.
Number two, make sure your software is fully patched and is up to date. That’s tough–I’m not disputing that at all, but it is highly necessary. Because if you look at the root cause of the attacks, the data breaches we saw in 2019, the single largest source of a data breach was a cyberattack. What’s the single largest cause of a cyberattack? A failure to patch a known software flaw. It’s very important that businesses patch quickly and keep that software up-to-date.
Karen Roby: I do like that idea, just something simple like expanding that password by just a couple more characters, it sounds like, could really make a big difference.
James E. Lee: It does, and it’s taken us a long time to sort of get to this point to realize that some of the advice we gave people in the security community and in the technology world, we were giving people bad advice because we were telling them, you’ve got to change it all the time. It’s got to be this very complex series of numbers, dashes, symbols, whatever. And the latest advice from NIST and from even major software manufacturers, they’re all saying, “You know what, taking into account human nature, it’s better to just have a little bit longer [password] and something you can remember.” And that will actually be more secure than what we’ve been telling people for the last number of years.