Most businesses foolishly rely on the belief that they’re too small for anyone to want to hack their data.
There’s been a lot of news coverage of the data breach at AshleyMadison.com, which affected about 30 million users of the Toronto-based company self-described as the “world’s leading married dating service for discreet encounters.” It’s a natural magnet for news coverage because, well, sex sells. Even I’m not above using it as a lead-in to this month’s column, since it’s something a bit spicier than you usually find in this space.
The Ashley Madison (AM) hackers claim their goal was to expose the fact that AM’s “full delete” option, which promised to remove all of a (presumably former) subscriber’s information from the database was a $19 fraud. The hackers contacted AM’s parent company, Avid Life Media (ALM), on July 12 and demanded it take down not only AshleyMadison.com, but a number of similar sites, such as EstablishedMen.com (with the tagline: “Connecting young, beautiful women with interesting men,” it seems like a thinly veiled Uber for prostitution).
When ALM didn’t comply, the hackers released the data one week later. As I write this in late August, most of the shoes appear to have fallen: The company offered a substantial ($500,000 CDN) reward for information leading to the hackers and the CEO of ALM resigned.
Once the data became available, a number of websites sprang up to let you search for your (or your significant other’s) email address in the data. One such site, specific to the AM breach, is https://ashley.cynic.al. A more useful site is https://HaveIBeenPwned.com, “pwned” being hacker-speak for “owned” or compromised. By entering your email address, you can find out if it’s appeared in previous public data breaches (the site currently has data for 53 “pwned” sites). For example, my mike@mikeduffy.com address was present in two data breaches, one at Adobe.com of 153 million usernames and passwords (yikes!) and one at Forbes.com of a measly million usernames and passwords. The site also includes a search through AM data, but you need to register for notifications of future breaches and confirm your email address. It’s run by a security professional, and I recommend it.
If you manage a corporate domain, HaveIBeenPwned.com offers a domain search with proper documentation of your authority to access that information on behalf of the domain owner. This is important, since people (sadly) tend to reuse passwords. If an email and password is hacked on one site, it may allow access to other sites using those same credentials.
As an individual, one of the best things you can do is use a password manager like LastPass (www.lastpass.com) or DashLane (www.dashlane.com). A password manager automatically creates a strong and unique password for every site that requires one. It also makes it easier to change a password when a specific site is breached. Yes, it costs money (although both products have free offerings), but it’s much superior to the note stuck in the bottom of your desk drawer where you keep them now.
Ironically, one of the documents revealed in the AM breach says the CTO’s primary fear was “security.” Elaborating on that word, he wrote: “I’d hate to see our systems hacked and/or the leak of personal information.” But any company that stores personally identifiable information (a person’s real name, address, Social Security Number and such) faces the same issues.
In California, if you discover a single breach affects more than 500 residents, you’re required to notify the Attorney General. For consumers, the Attorney General lists the data breaches for which it’s received such notification at https://oag.ca.gov/privacy/databreach/list. There have been roughly 10 reported breaches during each month of 2015. It’s a lot more common than you might think.
As a businessperson, you need to ask yourself the hard question: “What if all the information we have from our customers is made public?” If the answer makes you break out in a cold sweat, what do you do? Unfortunately, most people’s eyes glaze over regarding the details involved in a solid security infrastructure. Most just trust their IT department—which can be a case of the blind leading the blind.
You might want to start with the FCC’s one-page “Ten Tips on Cybersecurity for Small Businesses” (http://tinyurl.com/ozhyrqw), but the best answer is to start with an independent review of your data by a trustworthy professional. Yes, it costs money, but security is a cost of doing business electronically, and it’s a rare business that doesn’t store its information in a computer. Most businesses foolishly rely on the belief that they’re too small for anyone to want to hack their data.
How does your small business handle cybersecurity? Let me know at mduffy@northbaybiz.com.
