In the aftermath of the COVID-19 pandemic crisis, Amber Long is quitting her job. She weathered the tension of continued company cutbacks and survived months of remote-work isolation. Normalcy was at first distant, then seemingly closer as her company finally became more lenient on social distancing.
With the return of normalcy, however, Amber realized that normalcy meant returning to a job with no future and no room for growth. Like thousands of others, she’s moving on and hoping for better opportunities elsewhere. It’s a necessary, but amicable, goodbye.
That’s the surface story. Here’s the layer no one sees:
In 2019 Amber joined her corporation and was given access to their Office 365, shared company files, and other necessary internal and external systems for her to do her job well. 2020 landed her with a slight promotion, giving Amber access to more critical systems and data. Then, as the world shifted and Amber began working at home, creating Drobox and Google Drive accounts proved to be life savers as, like millions of others, she sought to make working remotely a productive, viable option.
After she quit, IT collected Amber’s laptop, software, and peripheral devices. Human Resources collected her keys. Everything seemed accounted for.
It wasn’t, and here is why.
Bloomberg reported that the Colonial Pipeline ransomware attack happened because one single password was compromised. Amber’s company never used multi-factor authentication, and Amber never used a passphrase manager. In fact, everyone forgot that Amber had created Google Drive and Dropbox accounts, so no one knew to change her passphrases and revoke her access to all the corporate files that were uploaded. This lack of company oversight and an individual lack of cyber responsibility creates situations like the Colonial Pipeline attack and the more recent JBS meat processing ransomware attack.
Amber Long is not a real person, but this is a real story. Does your company have a list of all the different systems that each employee has access to? Do they create unique, complex passphrases for each account? Who keeps that list of systems?
Within corporations, there needs to be a unified effort between HR, IT, and cybersecurity to ensure these open doors to company systems and data are managed and secure. One slip up—like reusing a work password and email address on a private Facebook account—and it’s easy to break into networks without multi-factor authentication and good passphrase practices. In CBS’s 60 Minutes report on June 6, fellow cyber professional Tom Pace shows it doesn’t take much technical skill or time to mount a successful ransomware attack. Websites rent ransomware for an automated hacking experience, which itself can take as little as five minutes.
The three reasonable and prudent steps companies should implement to protect these blind spots are:
- Track employee credentials (account ID and unique one-way encrypted passphrases) for all systems that are used and accessed.
HR, IT, and your cyber team must work together to know who has access to which systems, and to ensure that once an employee moves on, their access is immediately terminated.
- Turn on multi-factor authentication (MFA).
We can’t stress this enough. MFA only takes a short time to get used to and saves a world of trouble in case a user’s credentials are stolen.
- Use complex and unique passphrases for every site along with a passphrase manager.
As we’ve seen with the Colonial Pipeline incident, authentication should never be an afterthought. Make sure that you are doing your due diligence by creating complex passphrases for every application or website. Passwords are often simple and easy to break, but complex passphrases can exponentially increase the amount of time it takes a hacker to break into your systems, as this article by ProtonMail points out. Finding a good passphrase management tool can help with both remembering and creating these.
All three of these steps are either low-cost or free measures you can take to dramatically improve the cyber safety of your company. At the Carolina Cyber Center, we want to earn the right to partner with you to keep your company safe. Start with these reasonable and prudent steps for cybersecurity and contact us with any questions you might have!
Whether you are new to IT or a seasoned professional, the Carolina Cyber Center provides training at every level. To learn more about what the Carolina Cyber Center offers, visit our website or call us at 828.419.0737.