Cybersecurity, part 1: How to avoid a website breach
2 February 2017
By Tiffany Regaudie
Cybersecurity is a reputation management issue that every investor relations professional should be aware of. According to a 2016 report by the Ponemon Institute, the cost of cybercrime has risen by 23 percent and “annual losses to companies worldwide now exceed $9.5 million.”
The important thing to remember is this: once information lives on a network, it’s at risk of being hacked. While there may not be a foolproof way to protect information, there are several ways to significantly reduce risk and ensure leaks are contained. Here’s what you need to know about protecting your online information.
Passwords are no longer enough to protect your information. Hackers now have the means to test billions of password combinations in a matter of seconds; also, according to Heimdal Security, 65% of people use the same password everywhere. Two-factor authentication (2FA) is a way to verify your identity after you’ve entered your password, and it’s fast becoming a gold standard method for authenticating users.
The easiest way to think of 2FA is that it’s “something you know, and something you have”. The “something you know” is your username and password to your website content management system (CMS). These allow you to log in and make changes to your website when needed. The “something you have” is a device like your smartphone, which has been approved to receive an access code to complete the CMS login process.
Security always comes at a cost, and that cost is usually ease of use. For example, if you lose your approved device, you may be unable to make a change to your website in an emergency. On the flip side, if someone guesses the password to your CMS, they would be less likely to access your online information.
Thoughtful security questions
The #1 rule in choosing a security question: make sure the answer is never public record.
In 2008, emails belonging to Republican vice-president nominee Sarah Palin were hacked because the answer to her security question was information a hacker easily found with a Google search. According to Wired:
“The Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.”
Facebook is currently trying to make security questions a thing of the past. According to ArsTechnica, Facebook is starting to offer password recovery services to Github users by allowing Facebook users to “create a GitHub recovery token in advance and save it with their Facebook account. In the event they lose their GitHub login credentials, they can reauthenticate to Facebook and request the token be sent to GitHub with a time-stamped signature.” Read more about the method here.
Monitoring all news sources is important for keeping track of your company’s reputation. When you know what the mainstream media is saying about your company, you can also gauge how vulnerable you are to a cyber attack. Hackers enjoy reacting to negative news about a company’s reputation with attempts to hack information, which means IROs and website providers need to be extra vigilant about cybersecurity during a reputational crisis.
Some great tools exist for monitoring news about your company. Setting up simple Google Alerts for your company’s name and any relevant terms can keep you in the know about information circulating about your company online. Also, since much of today’s news and online conversations live on social media, you may want to invest in a tool like Hootsuite or Muckrack to help keep your finger on the pulse about your company’s reputation.
When information is hacked, whether it’s private customer information or internal communications, a quick and transparent response is key to salvaging reputation and trust. Keep an eye on the blog for part 2 of this series on cybersecurity: how to react to a website breach.