It happens – cybercriminals use stolen passwords to hack into other accounts. Despite the warnings, people still reuse passwords across multiple sites. This recent incident is proof.
This week, popular cloud storage service Dropbox disclosed that a password stolen from another site was used to access an employee’s account that contained an internal document with user email addresses. Even though the users whose email addresses were stolen did not suffer any financial losses, they did have their inboxes flooded with spam advertising gambling websites.
This raises a number of troubling questions. First of all, why was an employee using a corporate password on another website? Secondly, why wasn’t the internal document encrypted? And third, why doesn’t such a prominent website have better security in place? With all of the high profile security breaches over the last couple of years, you’d think companies would be doing more to protect themselves from the legal and financial liability, not to mention the damage to their reputations, which a breach can cause.
Doing more includes requiring two-factor authentication, training employees in basic security practices, encrypting documents and data, and keeping an eye on what employees are doing with sensitive company information.
In response, Dropbox plans to introduce two-factor authentication and push some users to change their passwords if they haven’t changed them for a long time. They’re also going to give users ways to identify suspicious activity on their accounts.
But, why did it take a hacking incident to prompt Dropbox to implement such standard security practices? Especially since it’s already happened elsewhere – numerous times?
The takeaway for IT managers is this: Cloud services can’t be completely trusted to protect what we so willingly hand over to them; and neither can employees.
Compounding the problem is that users are increasingly signing up for online file sharing applications without involving IT, according to a recent survey by security vendor Symantec. The survey of over 1,300 IT decision makers revealed that 29% believed their employees would go ahead and download a free file-sharing application without consulting them first.
Therefore, training users in basic security practices, emphasizing the dangers of reusing passwords, and giving them a cloud storage and file sharing option before they start using one on their own, are two things IT managers can do to avoid becoming the victim of a successful hacking attempt, like the one at Dropbox.