Cart
Tax season ‘24: I’m on a call with my accountant, and she says she will have to log into my local social security account to perform some essential operations. “Okay, I’ll give you my credentials so you can log in,” I said. “It’s ok; I still have it saved here from last time,” she replied.
The last time was about six months ago, and I haven’t changed my password since (my own mistake here).
My inquisitive, cybersecurity-oriented mind exploded!
“Let me ask you: where do you usually save these passwords?”
“Oh, I have an Excel spreadsheet with all my clients’ passwords. It’s all quite organized.”
“I imagine you have a strong password to protect all these passwords, right? It would be pretty bad if all this sensitive information got in the wrong hands.”
“No, I don’t need to, though. It’s stored in a secret folder hidden in my system.”
You, dear reader, can imagine how gravely dangerous this is and how terrified I was to discover that someone in charge of keeping such critical information could be so negligent with their cybersecurity practices.
If this information were to fall into the wrong hands, the potential damage to my life and anyone else on that list would be enormous.
You might say, “Oh, but this is just a small accountant!”
Not so fast. Let’s review similar cases with well-known companies.
The giant Japanese multinational conglomerate has a talent for breaches, with multiple attacks targeting Sony Pictures and the Playstation Network.
In 2011, Sony Pictures and the PSN were hacked, and hackers leaked millions of users' personally identifiable information. In 2014, Sony was hacked yet again.
Despite numerous breaches in their history, what sets these two incidents apart is that in both cases, hackers accessed this information via unprotected Excel and Word documents.
Thousands of data pieces, passwords, log-ins, financial information, and social media credentials for hundreds of major motion picture accounts were leaked in an easy-to-prevent mistake.
Imagine being C-level in a company with a presence in over 150 countries, 118 thousand employees, and around 115 million customers worldwide. Then imagine having to come forward to explain that “John,” from customer service, allowed public access to your cloud drive, exposing phone numbers, addresses, PINs, emails, and more information from 6 million customers.
Verizon experienced this in 2017 when a third-party vendor failed to configure its Amazon S3 storage unit properly.
The worst part is that these Amazon servers are secured by default, meaning someone accidentally changed a security setting, exposing all the data.
Luckily for Verizon, the issue was caught by a researcher at UpGuard before it could be leaked.
Chris Vickery, a security researcher from the cybersecurity firm UpGuard, discovered the breach and notified Verizon of the exposure. The company promptly secured the data and launched an investigation, claiming no evidence of data theft or misuse was found.
The reputational damage was done, nevertheless.
In 2019, Facebook was once more in the limelight for exposing up to 600 million user passwords.
During a routine security review, Facebook discovered that user passwords were stored in a readable format internally instead of being adequately masked.
Although Facebook promptly fixed the issue, in some cases, these passwords had been searchable since 2012 and easily accessible by over 20,000 employees. In total, this meant 200 to 600 million passwords were compromised.
The answer is clear: the human factor. My accountant doesn’t have a CISO to educate her on cybersecurity, nor an entire IT team to configure her computer and implement the latest protection software and policies.
The big companies I mentioned had massive teams of highly skilled professionals ready. However, at the end of the day, these companies, like yours, are comprised of regular human beings like my accountant. These employees are susceptible to mistakes; most are not tech-savvy, yet they are the first line of defense for multi-billion dollar companies.
These employees most likely participated in the mandatory cybersecurity training, where they learned little and forgot everything within a couple of weeks.
It’s not a matter of whether an attack happens. It’s a matter of WHEN. Because IT WILL HAPPEN.
When scammers surround your digital fortress, lurking around every corner and testing your defenses multiple times a day, your team will need to be vigilant and well-prepared to respond.
Yes, you trained them twice last year and gave them all the necessary information. So why are they still susceptible to making careless mistakes?
Some of the main differences between your regular annual cybersecurity training and year-round cybersecurity awareness include:
“Consistently delivering bite-sized, relatable cybersecurity content, applicable in your employees’ personal and professional lives.”
That is the answer!
We have the perfect solution if you’re committed to taking cybersecurity to a new level in your organization.
Our offer is simple:
Our team is standing by to show you some of the innovative ways organizations use Aware Force to engage their employees. (And the employees let them know how much it’s appreciated!)
Get in touch with us here at https://awareforce.com/contact-us/ :
Sources: Forbes, UpGuard, Arstechnica, Buzzfeed, Krebs on security
