Cybercrime has been making headlines these days, and the most recent of which is the data breach reported on millions of Dropbox accounts. Given the circumstances, companies are reminded again to beef up their IT support to pave the way for better network control and prevent customer data from being compromised.
The Threatening Combination of Human Error and Passwords
Late last month, reports indicated that email and password data from over 68 million Dropbox accounts hacked from four years ago had leaked online.
Back in August 2012, Dropbox confirmed that a stolen employee password was used to gain unauthorized access to a project document, which contained user email addresses. The breach led to users receiving spam in their email associated with their Dropbox account, prompting the company to put additional security controls, along with a recommendation that customers keep different passwords for each website or service they use.
For customers who have not changed their password since the 2012 breach, Dropbox is sending them a prompt to update their credentials the next time they sign in, although the company maintains that such accounts have not been accessed illegally.
Interestingly, another breach happened in August 2012 when a hacker stole 6.5 million encrypted passwords from LinkedIn’s user accounts. Fast forward to May this year, new reports indicated that a hacker was selling 117 million LinkedIn log-in credentials on a dark web marketplace. It’s not known whether or not the new loot includes the records from the 2012 breach, but the sale was said to be going for about $2,300.
IT Security Best Practices in Managing Passwords
From these data breaches, it’s safe to assume that companies need stricter security controls to protect their users’ information. Here are some things to do and remember:
Introduce good password management policies.
Passwords are the first line of defense in accessing customers’ online accounts. Therefore, authenticating them should be foul-proof as much as possible. The Dropbox data breach is especially significant as the company’s own employee failed to follow password management techniques.
Some customers refuse to use different passwords for different applications mainly for convenience as a reason, so you should clearly define standards on how they should choose their passwords.
You also need to have a good password management system by using password hashing (transforming a string of characters into a shorter fixed-length value that represents the original string) and two-factor authentication processes (read: the two authentication factors should be different from each other) in your service applications.
Identify and safeguard critical systems or applications used by the company.
You could prevent unauthorized access to critical systems or applications within your organization by enforcing strict controls such as using a different authentication method for each, putting in encryption systems or even data loss prevention facilities, based on their associated risks.
The same goes for setting access used for general purpose applications: they should be different from access credentials used for critical applications or privileged accounts.
Additionally, you could implement a multiple credential and authentication policy for applications used internally and externally. The premise is that if both internal and external applications use the same password, there will be less security protection for the company’s systems.
Determine which of your systems has the same security features or requirements.
For applications with the same security requirements, using the same password may be allowed, as long as the security policies and guidelines in using them are clearly defined as well as control systems are properly set.
To illustrate this, you may set up the same password for applications that record your employees’ overtime work and absences since both are used as HR-related systems, and apply common and additional security requirements.
No one could ever overemphasize the need for companies to put all the proper measures in their IT infrastructure to detect and prevent threats of data theft. Dropbox just had a wake-up call about this.