After talking to her office-working brother, my hairdresser the other day was extolling the benefits of using numbers, capital letters and other characters to create the various passwords she enlists to access countless private accounts daily. Up until that impromptu conversation during an Independence Day barbecue with family, she had never given usernames and passwords much thought. Most of the time, her private email address and dog's name seemed to suffice.
Her brother hadn't really paid much attention to his personal (or professional) passwords either. However, after some well-publicized breaches of credentials at the likes of LinkedIn, eHarmony and Formspring, his company felt the need to invest in some end-user security awareness and training.
Unbeknownst to his organization's executives, their decision could not have been more timely given the now-bedeviling news that some 450,000 Yahoo members have seen their usernames and passwords stolen by the hacker group D33ds Company. Yahoo seemed to make the thieves' job quite a bit easier by shockingly failing to at least encrypt these bits of juicy information.
So here we have an ever-growing string of attacks that seems to point to some online criminals' rising interest in stealing and exposing usernames and passwords. Yet a long-standing and recognized company like Yahoo presumably took no measures to ensure sensitive stuff like customer account credentials – which undoubtedly will lead to a bevy of additional private goodies and surely some spikes in spam and phishing incidents – were kept safe and sound.
Seriously?
We've heard time and again that the fear, uncertainty and doubt (FUD) argument to gain support has been long dead. Compliance efforts, according to many practitioners, still seem to resonate with lead executives. But if this were true then encryption would be a top expenditure given that it's often a requirement cited in many mandates.
And lest we forget, criminal interest in sensitive data really has been pretty consistent – with some jumps here or there. In other words, incidents involving more technically, well-versed online bad guys constantly and aggressively testing small and big players' system security and then making off with some critical customer information or intellectual property are not so new.
So back to FUD? How long did it take Sony's executive leaders last year to put in place a CSO? Did the corporate security light bulb, apparently long dim, light up after the company was victimized by Anonymous for, what, a third time?
Meanwhile, there are many organizations that have their security and risk management plans down and are constantly evolving them to account for gaps that inevitably arise. These don't make the headlines. They acknowledge that defense-in-depth measures have their place and that current times dictate an acceptance that their corporate networks likely have been infiltrated by the bad guys, hence the need for newer network monitoring and other more advanced technologies and processes that provide actionable insight when culprits are found. They understand that security awareness training is cheap and, in some instances such as my hairdresser's brother, impactful.
Large, well-known and successful companies like Yahoo, LinkedIn and others should be one of these. They set the example either way and, sadly, it's the one not to follow.
Illena Armstrong is VP, editorial director of SC Magazine.
