Pratum Blog

Are You Risking Security in Favor of Convenience?

Proper password habits feel like data security’s equivalent of flossing. Yes, we all need to do better with both. But if we’re pressed on how it’s going, most of us admit that we don’t even know where the floss is and that we keep most of our passwords on three sticky notes hidden under our keyboard.

We get it. Most days feel like a constant obstacle course of passwords and PINS, whether we’re trying to withdraw cash at the ATM, check a retirement account balance, use a retailers’ reward card or just stream a movie. The average American has 50+ passwords—many of which you use once or twice a year. (“Yes, specialty spice retailer, it looks like I DID forget the password that I created for Christmas of 2018!”)

Even the password’s inventor, the late MIT professor Fernando Corbato, turned antagonistic to the monster he created. He told the Wall Street Journal in 2014 that passwords have “become kind of a nightmare on the World Wide Web.”

Isn’t There A Better Option?

Password alternatives keep turning up, but no one has quite mastered the alchemy of an easily remembered, hackproof password. The “knock codes” LG added to its phones excited a lot of people, for example. Users simply tap out a chosen sequence on a blank screen to unlock the phone. But it turns out that 20% of participants forget their new codes within 10 minutes. So most people use very predictable patterns for their codes.

Biometrics are an easy-to-use option, but only if a company wants to pay to install fingerprint or retinal scanners on every device.

So the password abides. If we’re following the IT department’s advice, each password contains a different scramble of uppercase letters, lowercase letters, numbers and symbols. No wonder most of us give up and take the easy routes; 59% of us use one password everywhere, according to the password management company LastPass. Most people are willing to gamble convenience against the chance that a hacker will get the keys to their digital life.

As for writing every password down in one place…well, even Professor Corbato, Father of the Password, admitted that he kept a written cheat sheet of 150 passwords he was trying to manage. But the risk of that move isn’t going away. In June 2020, the “hacktivist” group Anonymous broke into the Minnesota Senate’s servers and hacked a file that Senate officials literally called “The Passwords File.”

And one more thing just to make the challenge even bigger: Experts advise against using the “Remember Me” function to log into web pages automatically. If someone gains access to your computer, they will have an open door into any password-protected website you use.

Real-World Password Solutions

But enough venting about password headaches. What are the current best practices for managing passwords in a way that’s secure and actually practical? Here are guidelines recommended by Pratum’s experts:

  • Use multifactor authentication whenever possible. This is the increasingly familiar approach that adds another layer of protection through steps such as texting you a verification code along with requiring a password. MFA involves two of the following three elements: something you know (password or PIN), something you have (a badge or a device) and something you are (fingerprint or voice recognition).
  • Use more complex passwords. Most of us use obvious phrases to make memorization easier. But when hackers’ software runs through thousands of password combinations per minute, they’ll eventually figure out “ILovePizza!”. Use more random combinations such as “1lovePws!”.
  • Keep rotating passwords. Yes, it’s a hassle when the IT team makes you change passwords every 90 days, and you may have seen news that this standard is falling from favor. But permanent passwords are actually recommended only for organizations that have extra protections in place such as multifactor authentication.
  • Use a browser plug-in such as LastPass. It stores all your passwords in one spot and lets you easily log into websites by choosing the appropriate passwords from your list. The plug-in requires its own password, so that no one can access your sites just by getting access to your computer. You also can use a password app to generate random, virtually uncrackable passwords for yourself. Do note that if you’re planning to use your workplace computer for this, you may not be permitted to install the plugin. And be sure to use a password manager that is encrypted and protected with MFA.
  • Log in to sites via a big, trusted company. You typically see this option as “Log in with Google.” This makes things simpler, and you’re using the expertise of a major company. But your password to that service obviously should be bulletproof.

If you’re wondering whether your password game is in the sweet spot of security and usability, a Pratum expert can help. To discuss a review of your policies, reach out to our cybersecurity team.

What's the Price of Your Organization's Data?

Have you ever put a price on your organization’s data? Some hacker out there is probably prepping right now to help you with that. They’ll gladly hold onto your data until you nail down exactly how much you’re willing to pay to get it back.

Ransomware, if you’re new to the term, works just like it sounds. A cybercriminal gains access to your system, encrypts the data so that you can no longer use it and then demands a payment (typically paid in Bitcoin) to let you back into your own data. If you’re attacked by a less sophisticated hacker, however, the encryption key may not work, leaving your data unusable.

The first big wave in 2015 went after consumer devices and small ransom payments, but attacks on businesses have surged in the last year. Some experts are reporting jumps of 70+% in ransomware attacks this year as millions of workers have begun working remotely. Some recent estimates say that hackers target 90% of financial institutions every year.

The Price of Your Data

Clear ransomware stats are hard to come by since businesses understandably get shy about telling the world that they’ve been victimized. Experts have pegged the average payment at anywhere from $5,900 to $41,000. The highest ransoms, however, surpass seven figures. In June 2020, for example, the University of California-San Francisco announced that it had paid $1.14 million (116.4 Bitcoin) to regain access to its data. (You can see the negotiations between the university and the hacker here.)

For victims, the total tab includes far more than the ransom. A 2017 attack forced shipping giant Maersk to close 17 ports, costing the company more than $200 million. Some companies refuse to negotiate and try to retrieve data through other means, which could get costly if your data wasn’t properly and securely backed up.

A business with little tolerance for downtime and no backup system will be especially likely to pay up. A medical facility that can’t access its patient records or scheduling system, for example, is effectively shut down. And damage to a brand can be a deciding factor. A law firm that loses control of its sensitive data may never regain clients’ trust.

All this shows why paying the ransom frequently feels like the least bad choice—and why industry observers call ransomware “the cybercrime of choice” and “your biggest online security nightmare.”

A Crime That’s All Grown Up

The ransomware scene has developed all the underworld trappings of a drug cartel or weapons bazaar. Bad actors can visit online marketplaces to bid on access to hacked computers. Or they can hire an RaaS (ransomware as a service) mercenary to do the dirty work for a cut of the ransom. A few ransomware providers even have well-run call centers to ensure that decryption goes smoothly after the payment. No respectable criminal, after all, can afford for victims to tell future targets that paying the ransom is pointless for retrieving data.

And like all innovators, cybercriminals keep creating new products. Some hackers pursue a “leakware” strategy, declaring that if you don’t pay the ransom, they’ll share your proprietary files with the world. So much for your data backup saving the day.

How to Lock Your Gates

Data kidnappers typically use phishing schemes to trick a user into clicking a malicious file that lets hackers into the system. Organizations with many dispersed users are especially tempting. In other words, nearly every company became a fatter target in 2020 as employees began working at home in large numbers. Other attacks skip the well-meaning end user and simply exploit known security holes.

Once the hackers enter the system, they may spend several days snooping around your files to determine exactly how to hurt you the most. They may also start monitoring communications among key employees—all in the interest of assembling a ransom offer you can’t refuse. With an airtight plan, they encrypt your data and announce the attack tailored just for you.

Obviously, hackers are bringing serious tools to this heist. So let’s consider some best practices for keeping both your data and your money where they belong:

  • Use appropriate backup strategies for necessary systems and information. Define and regularly review Recovery Point Objectives and Recovery Time Objectives and test backups regularly.
  • Enable real-time security monitoring and data loss prevention policies to identify intrusion attempts and validate that data has not been compromised.
  • Install up-to-date, next-generation antivirus/EDR (endpoint detection and response) software on every device. EDR tools prevent execution of malware that only tips its hand after entering your system and trying to execute.
  • Ensure your IT team (or an info security partner) properly configures the antivirus software—a frequently overlooked step.
  • Keep operating systems current with all available patches.
  • Educate employees to lower the risk of phishing schemes.
  • Limit users’ access to only the most necessary files, limiting how far an intruder can get with any given person’s credentials.

Pratum experts spend every day fending off the latest ransomware. If you’re ready to assess your company’s risk of attack, reach out to our cybersecurity team.

2020 is the Year of Virtual CISO

As millions of Americans dispersed to home offices this spring, a giant spotlight fell on business continuity plans across the country. Many of those plans, it turns out, were riddled with holes.

Nearly half of all working Americans are now telecommuting, according to Stanford University, revealing all the weaknesses in half-hearted business continuity plans that have been gathering dust for years. And just as the problem revealed itself, the budgets required to fix the issues were getting slashed.

While these challenges have always been present, the development of real solutions frequently fell by the wayside due to competing priorities and limited budget allocation. And now funds to fix things are scarcer than ever. In the public sector, for example, some states, such as Vermont, are anticipating budget cuts of up to 25%.

The fact is that an adequate continuity plan would’ve anticipated this. The world experienced several serious infectious outbreaks within the last 20 years with Bird Flu (H5N1), Swine Flu (H1N1) and Ebola. Fortunately, these diseases didn’t spread as quickly and easily as COVID-19, blunting their impact. But this also produced a false sense of security. Very few business continuity plans accounted for pandemics. In fact, many businesses didn’t even plan for more familiar threats such as natural disasters, malware attacks and downtime.

Where’s a CISO When You Need One?

Typically, a Chief Information Security Officer (CISO) would lead the way in preparing for these issues. A CISO focuses on balancing information security, risk, and general business challenges by asking key questions such as:

  • How can my agency (or department) ensure that business processes can be restored?
  • How can my agency access backup plans or ensure the recovery of lost data? Is this approach sustainable and controlled?
  • Are resources accessible offline even when access to company networks can’t be established?
  • How will we keep employees online?
  • How do we eliminate communication interruptions?
  • How can leadership and management effectively keep employees informed of plans for dealing with major disasters, sensitize them to the challenges and inquire about their preparation?

Right now, most budgets probably don’t include room to add a CISO to address the challenges revealed by 2020’s unique circumstances. But Pratum’s Virtual Chief Information Security Officer (vCISO) service is intended, by design, to fill that gap. This tailored service helps identify and implement viable business continuity planning/management and cybersecurity strategies and policies to maintain security effectiveness and meet regulation and compliance requirements.

How a Virtual CISO Works

A vCISO service creates actionable information security strategies and defines optimum information security direction. The vCISO will provide independent and objective input to ensure that your security posture is on track, recognizing areas of necessary improvement and continuing to support areas where you are already in compliance.

You can engage vCISO services for anywhere from a few hours to a per-project basis to a full-time basis. Your work with the vCISO will produce executive-level strategy, policy development and process creation for immediate adoption, implementation and operation of improvements.

A Pratum vCISO can assist with these areas:

  • Information security risk assessments
  • Business continuity planning/management and cybersecurity vision
  • Coordination, prioritization, and establishment of security initiatives
  • Risk reduction and mitigation through continual security improvements
  • IT audits
  • Policy review and development
  • Penetration testing
  • Disaster recovery and incident response
  • Penetration testing and vulnerability management (scanning)
  • Social engineering
  • Security awareness and training
  • Security consulting

With a vCISO in place, organizations will experience the confidence and safeguards provided by a sound business continuity management plan and a smooth process for recovering from severe disruptions.

Planning for the Next One

One clear lesson from 2020 is that the unthinkable is possible—and organizations can’t afford to stumble into the next challenge unprepared. When a new catastrophe strikes, it’s critical that we are all ready to address the situation calmly and appropriately. The price of being unprepared can be staggering. For example, the Federal Emergency Management Agency (FEMA) states that 40% to 60% of public entities will spend roughly 1.5 times their annual technology budget recovering from a business disruption.

With your Pratum vCISO and business continuity plan in place, you can avoid this outcome. Pratum will help identify your risks, find solutions to existing problems, and guide you safely through the next crisis.

For a better understanding of how Pratum vCISO services may be a fit for your organization, please visit Pratum.com/virtual-CISO.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.