The Yahoo Data Breach and your SME

So you have read about the Yahoo Data Breach, this serious incident has a large effect on unrelated businesses that is not immediately apparent. If you believe it does not affects your business. I am going to explain why it will, even if you never had a Yahoo, Flickr, Tumblr or Rivals account.

  • Customers and employees tend to re-use their passwords.
  • All users do not like changing their passwords.
  • Customers / Employees use their real details for security questions
  • People click on links

Even the most experienced digital native with the latest smartphone has the human habit of reusing passwords, especially for accounts of low importance to them. Your service or company login may be low on the priority list. You can avoid problems by enforcing long passwords (more than 15 characters) or pass phrases and enabling two-factor authentication for employees (google for work supports this). Education all your employees and users will help, but is an ongoing problem.

Let this be the year when you start using a password manager, there are many good tutorials on them and some are free. It will make it easier for you to keep separate passwords and generate strong unique passwords. You should also store your fake security questions answer here. This will allow you to keep answers you can change stored with the account details in an encrypted location. One obvious reason for not giving the real answer to first pet, is you only have one. Once a data breach occurs, that information can be used to hack your other accounts (through social engineering for example). You should change your security question answers after any data breach, or if you are reusing them across sites.

Assuming that none of your users or employees have reused their password, their email is likely the same. Hackers can use the information stolen from these lists to create phishing emails to spread ransomware. It’s difficult if not impossible to ensure that no-one ever clicks on a dangerous link, however the threat can be minimised through IT policies. This is a deep subject. Decentsecurity.com has some guides to look at that might be a easy start. A very basic step would be ensuring not all employees have admin access and using the latest version of your Operating System that is available.

Europe is bringing in data-breach notification laws, Irish companies have to follow the regulations by mid-2018. A recent survey reported that one-quarter of the Irish business surveyed do not have a plan in place. Now is the time to start understanding the regulations and preparing for a data-breach, rather than scrambling after the fact. A basic step would be having a way to notify all your customers of a breach and force them to change their passwords and security answers.