The hacks discussed in previous articles (here, here, and here) can teach us an extremely important lesson: the importance of not recycling passwords as well as using a password manager that is protected behind multi-factor authentication.
Multi-Factor Authentication is Essential
For those who don’t know, multi-factor authentication is the use of another device(normally a smartphone), to generate a random password that changes quickly, so that even if someone hacks your permanent password, they cannot access your account. But that does not mean that protecting your password becomes unimportant.
Here is a fact: if you have used the same password on every site, or even just many sites, for the last 10 years, then it is almost a guarantee that that password has at some point been compromised. If you have used the same password everywhere for the last few years it could be compromised. The safest course of action is to have a password manager that uses a unique password for every single website, preferably a random generated string of information.
With several billion accounts hacked per year, there is a high likelihood that any password that has been used for more than three years has been compromised. And the reality is that the situation companies currently find themselves in models itself after asymmetrical warfare. The fact is that every company needs to be secured against every attack, which takes real planning and preparation to ensure two things, that the number of hacks is reduced, preferably to none, and that the cost of a breach does not exceed the cost that would close the business.
Hacking is More Prevalent Than Ever
Hacks can be done with no cost and no equipment by using certain exploits. Renting a botnet for a few hours can cost between a few dollars to a few thousand depending on their technical needs. The average cost for a single record to be lost costs a company $158 on average. For companies with thousands, or tens of thousands of customers, a breach that steals all of their records can be deadly to their company’s survival.
And when it comes to how much it costs to buy these user’s data? It can range from anywhere from a few dollars to a few grand, to highly specialized information that may be worth millions. But oftentimes, it is listed on the dark web for a few hundred dollars, even for databases with hundreds of millions of users.
For example, when Myspace and LinkedIn were hacked, it was reported that the group behind the attacks had been selling the information in whole for only the equivalent of $2,000 in bitcoin. On the reverse side of that attack, that was a breach that ended up costing LinkedIn tens of millions of dollars.
Why mention how ubiquitous this stolen information has become in hacking circles? Because oftentimes they will buy the data not because the grand plan involves getting access to your Spotify account and using that to obtain free music, but because that username/password combination has probably been used on at least one other website, and that website might just give them access to something more valuable. And sometimes, they will target one entire but specific group, company or organization, or sometimes just one person, by buying millions of user accounts and its associated data.
Protect Your Passwords
One important thing you can do to ensure that you have the most up to date passwords is, of course, to make sure that you use a password generator and a password manager with multi-factor authentication to store the passwords. That way the only way that someone can gain access to a specific account is through brute force, or if the entire website was hacked. In the event that the website is hacked, the ultimate reasoning behind using unique website passwords is that one password being lost does not compromise your security.
Ideally, you need to have every single person in your organization have every password or email associated with work be unique, and secured with multi-factor authentication. You yourself should also ensure that you put all of your passwords into a password manager, and ensure that you have them all changed to unique passwords. As well, you need to make sure that you are using a password manager that alerts you if the website you are using has been associated with a breach. These apps will let you know if any of your user accounts need to be changed, and if any of your other passwords or usernames are shared, and if so, what action should be taken.
Protect Your Server
It is also important to make sure that you are taking steps against your server being accessed. IBM has done research on the cost related with breaches. Not only has the average breach ballooned up to nearly $8.9M for each breach in the United States (compared with roughly $3.9M in the United Kingdom), but that cost has been rising, steadily, over the last decade.
In the last year or two though, they noticed an interesting trend. A slight increase, but in the last year, a very slight decrease. But the cost of an attack on someone who is unprepared has risen. On the other hand, the cost for someone who is prepared for a cyberattack is less than half. Someone who has all of their data and accounts secured enough to survive a ransom attack will end up only having to deal with half of the cost that the people who have to pay their attackers will.
Healthcare remains one of the most expensive industries. Steps to take include logging all interactions on your server, and having an AI analyze them for potential dangers. Currently, cybercrime costs the world economy between $600B and $1.5T, but by 2025 that number could rise as high as $10.5T. With the entire world’s economy only worth $80.5T, that means ⅛ dollars we spend will go either to stopping cybercrime or be lost in the commission of a crime.
Always Be Prepared
Preparation and fighting fire with fire will become more important than ever as we move into the next phase of these attacks: constant, never-ending attacks initiated not by determined humans, but by AI controlled by humans. It is not our goal to scare you, but it is important that you understand the risks and dangers that are not going to go away.
The reality is that you can prepare. But soon, preparation will not just be something that smart businesses will take part in, but an essential part of doing business publicly. Even for businesses that are all in-person based, if you or a receptionist or your accountant keeps information anywhere, it could be susceptible to attack. Same with even basic information on employees and customers. And the risk only increases as you move into businesses that do most of their work on computers, or businesses that operate online or deal with sensitive information.