Tolga’s Blog

How can you help to prevent a cyber breach?

Tolga Turegun -

Another day, another data breach of another household brand.

Many organisations certainly could - and most definitely should - be doing a lot more to prevent cyber incidents. To do so involves strong leadership, a lot of money, and the right skills to undo what is often times years (or decades) of what could be referred to as 'technical debt' or 'security debt'. A long topic for another day.

I'm not going to pinpoint any specific recent breach or why that particular company should have done better. Instead, I'd like to discuss what you, as an individual, could do today to protect not only yourself but potentially your employer from being exposed.

But why?

If you have a username and a password that you can use to get access to company resources - think email, your computer, payroll systems and the likes - that makes your account an entry point into the companies IT systems.

It's reported that over 80% of cyber incidents are the result of credential theft, and it might surprise you that virtually any employees credentials can be used to initiate that cyber incident.

Perhaps yet another topic for another day, but one way to think about this is to imagine you hold a physical key or an access card to your workplace. You may only be able to open a single door with it, but behind that single door you may have 100 colleagues.

Some of them might have access to open another door into a more private area of the office. Behind that next door, another colleague and another access card may get us through yet another door.

By now you get the idea of how cybercriminals work. They don't necessarily care whether they're infiltrating the account of an intern, the CEO or that one IT guy who has access to everything, but rather how they can get through that first lock and subsequently get intrenched deeper and deeper until they find what they are looking for.

So, what can you do?

Enough waffle, I'll get to the point of this article and list out some simple things can you do that might just help your employer stay out of tomorrows headlines:

1. Don't use your work email for personal purposes

What I mean by this is not to stop sending personal emails to your family and friends, but rather to stop signing up for services online with your work email address.

Whilst a single email address might be easier to manage, be aware that the moment any service you use with that email address is breached, it opens up the possibility that any other services you use with that email address may also be breached.

This is particularly true if you don't adhere to point 2...

2. Don't reuse passwords

Speaking at an event last year, I asked for a show of hands where anyone reused passwords across multiple accounts. Every single person in the room raised their hand.

The simple implication of password reuse is that a single breach that obtains your email address and password, now opens the door to every other place that you've used the same username and password.

3. Use a password manager

Yes, it can be difficult to maintain different passwords for everything. But it helps, and it helps a lot. Thankfully there are ways to make this easier by utilising a password manager.

The options are plentiful, and I won't make a recommendation on which password manager to use, just that you should use one. When selecting one, do consider the compatibility across your devices, the security controls on offer, the ease of use and not to name names but also whether the password manager itself has been subject to a data breach (or multiple).

Many password managers will not only store your passwords for you, but also help you generate unique & stronger passwords, and even check to see if any of your accounts/passwords have been subject to a data breach.

4. Use multi-factor authentication

When and where you have the choice to enable multi-factor authentication (MFA) or two-factor authentiation (2FA), do it.

Most applications of MFA/2FA can't guarantee your account won't be breached, but they go a long way. According to a few sources, Microsoft for instance, the impact could be as great as helping to prevent 99.9% of attacks.

My estimates are a lot more conservative, because not all MFA/2FA methods are built the same. MFA/2FA received over SMS for instance can easily be spoofed, whilst fake login pages can be used to generate legitimate MFA/2FA challenges that you unwittingly oblige to (this is called phishing).

Long story short - MFA/2FA helps a lot but isn't always bulletproof. Enable it for your work account, your email accounts, your bank account, everything.

5. Assess whether you've already been exposed

There are a few ways in which you can check to see if you have been subject to a data breach, but my favourite by far is Troy Hunt's website Have I Been Pwned (HIBP).

Head over and pop in your email address and/or phone number to see whether you've already been exposed to a data breach. If you have, now ask yourself the question, "am I using that same password for any other services?", and if you answer yes then go and change your password on all of those other services right away.

6. Use common sense

It (almost) goes without saying that commonsense should apply to everything you do online. I'm talking about things like;

  • be careful on public networks (think public wifi) which could easily be spoofed
  • be mindful of where you use your username/password to access a service (think fake login pages)
  • don't type your passwords out in plain view of others
  • don't ever speak your passwords out loud
  • don't use weak and predictable passwords
  • don't share your passwords
  • don't change your passwords in predictable ways (changing Welcome123 to Welcome1234 isn't making that much of a difference)
  • don't use unsecured websites
  • keep your devices updated as vulnerabilities are constantly being identified and patched
  • don't leave your devices unlocked, even in the office (unless you want to buy the whole office doughnuts)

In closing

Your employer might have significant amounts of technical and security debt that they're fast becoming aware of, and hopefully they're working hard to remedy the situation.

Nobody wants their employer to be in the news for all the wrong reasons, so by protecting your online identity and applying a little commonsense, you can do your part to not only help avoid that but also protect your own online persona.