Very few of us do as much to protect our own material as we do to protecting a bike left outside a shop. But it’s time to change. We have to take responsibility for the security of our own data under our own control.
Unfortunately, in order to be able to do that, we have to understand some of the issues.
Few people, it seems, can be bothered.
It isn’t clear how the celebrity picture hack worked but Apple seems to think that it was the result of hackers getting passwords by social engineering, phishing or guessing security questions. In reality, it’s probably not that difficult to establish a celebrity’s answers to common security questions; it’s the sort of information that’s widely known.
But in order to get a password reset, the hackers must have had access to the celebs’ email accounts. That’s entirely possible given the ways in which people choose passwords. In one recent example, nearly one third of people using one high-profile website had 123456 as their password. Some people are more cunning and use abc123. The top ten passwords were used by nearly two thirds of users. So if you’re trying to crack somebody’s password, there’s a good chance you’ll do it with one of the top ten shown by SplashData.
Even a more challenging password might not provide much protection: I recently demonstrated that an 11 character dictionary password could be cracked by a very ordinary computer in under ten minutes using tools freely downloadable from the internet. Yet it isn’t difficult to set a strong password (as we will show you in next month’s blog.)
But the problem is that people don’t even seem to think about keeping their material safe. For example, suppose you suddenly find your laptop isn’t working and you have to send it for repair. The engineer will probably have access to everything on it. As for smartphones, did you know that in simple terms, anything on a phone can be recovered, even if it has been deleted? Even more worrying is that it’s probably still recoverable from the phone even after a factory reset.
What all this means is that, from a commercial point of view, the idea that has become popular over the past year or so of BYOD (Bring Your Own Device) could be high risk, especially in small companies without a skilled IT department.
Even if an individual is using company-supplied equipment with good password protection, if they’re using the type of home data storage device known as Network Attached Storage (NAS), the company information might still be at risk. That’s because so many are badly configured.
The solution to all of this is for everybody to understand the importance of data security.
From time to time I talk to local school pupils about online security. I always tell them that there is one golden rule they have to understand and remember: always assume that anything you do electronically will be publicly visible forever. It’s a lesson that we should all take to heart.