December 14, 2017 by David Gambrill, Editor-in-Chief
Almost all (99%) of U.S. business professionals surveyed in the third part of Intermedia’s 2017 Data Vulnerability Report admitted to doing at least one potentially dangerous action that increased the likelihood of a workplace data breach.
These risky actions included sharing login credentials, storing passwords on computer desktops, sending sensitive or confidential client information to personal email accounts, and using the same passwords for personal and work accounts.
Nearly one quarter (23%) of the 1,000 employees surveyed said they worried someone outside of their company could hack or access files due to an email breach, and yet they ignored best practices for keep passwords and data secure, opting instead for more expedient—and dangerous—practices. Among them:
Recently in Ontario a broker received a reprimand from RIBO for forwarding emails containing brokerage client information from her work email to her personal email account.
Jonathon Levine, chief technology officer at Intermedia, told Canadian Underwriter that some of the survey results were not a surprise. “People are always trying to balance their desire to keep things safe and secure with their desire to get stuff done.”
Getting stuff done may require working remotely or from home, and the transfer of information from one place to another is not always done in a secure environment.
“For stuff that is really critical and sensitive, you want to use some kind of enterprise sync and share product,” Levine said. “You want to do that partly because of the encryption, but you also want to do that because you want to have some kind of administrative control over the data.”
For example, if an employee is emailing work to themselves from a remote location, or if they are using publicly-available, cloud-based file-sharing options such as Dropbox or Evernote, a brokerage has no control over that data when the employee leaves the company.
“A small brokerage is not a one-person brokerage, but rather a five-person or a 10-person brokerage, and they are going to have turnover,” Levine said. “And if brokers are storing their client information in their own DropBox, or in their own Evernote in the iCloud, then in the best case, what you’ve done is you’ve let them walk out the door with their book of business. And in the worst case, what you’ve done is let them expose their customers to some kind of data security breach.”
The need to store passwords arises because people are constantly advised by IT people to create hard-to-crack, multiple user IDs and passwords, Levine says, adding there are existing databases that hold literally 1 billion passwords.
“I tell people, ‘Don’t use the same password at multiple services, because if you use your work password at OKCupid, and OKCupid gets hacked, then your work password is going to be hacked, too,’” he says. “And then I tell people, ‘Oh, by the way, use a separate password for each service, but you should also use a password that’s hard to guess.’ Hard to guess correlates with hard to remember.”
Small businesses, including brokerages, should be investing in some kind of password management system that will remember passwords and keep them stored in one place.