Did You Get the Memo?

This week Verizon released results from its annual IT security study conducted in cooperation with the U.S. Secret Service and the Netherlands Policy Agency. The study found that while penetrations increased to a record high 760 in 2010, the number of records compromised in the process fell dramatically to around 4 million from 144 million in 2009.  While hacking and malware continue to make up the largest chunks of the problem, physical intrusions such as compromising and ATM were up sharply.

But maybe the thing that continues to provide the biggest back door for hackers is the failure of organizations to exercise consistent and rigorous password policies and users to follow them. Peter Tippett, VP for security and industry solutions at Verizon, described stolen passwords and credentials as "out of control" and said it's a particular problem in financial services, retail and hospitality.

The best hardware and software fortified by stringent access rules is a powerful defense. But one misplaced set of credentials in the hands of a perpetrator makes all that hard work null.

Whenever I see a smoker, I want to ask them, "Did you not get the memo?" I feel the same urge when I see people using readily hackable passwords and usernames, or worse (!), using the save password features in their browsers to save a really weak password.

I recently counseled a colleague who had saved their PayPal username and password in their browser, had no screen saver lockout and no computer "sleep" lockout. They never stopped to imagine someone could walk up to their computer go to PayPal, get into their account and send money to themselves. In this case, they were bringing their personal online behaviors into the workplace, compromising themselves potentially and maybe the company if they were doing the same thing with corporate network credentials outside the office.

Maybe we need to create a 12-step program for recovering offenders. Call your sponsor before you make a bad password decision. It would be almost comical if it wasn't so serious. What everyone can do first is clean up their own house. Flush those passwords from your browser and commit to multiple strong passwords. And if your organization has a policy, follow it. If they don’t, tell them to get one.