Cybersecurity is a lot about risk management. You need to evaluate how much are you willing to invest to mitigate the risk of a successful cyberattack, versus how much the successful attack could cost your organization in terms of data loss, reputational risk, disruption of operations, legal consequences, etc.
Last year, I gave several classes on Cybersecurity to senior executives. In every class, I asked the participants how many of their organizations had been victims of a successful cyberattack during the last year. And every time, at least 10% of the participants raised their hands. In some cases, they were victims of ransomware. In several cases, the cybercriminals managed to compromise their physical operations.
After some of the participants shared their stories, I asked another question: how many of you use different passwords for each of your online accounts? Every time, less than 5%. How many use a password manager? Even less. In some cases, the attendants were IT professionals or General Managers.
I get it. Convenience trumps rationality. But the reality is this: cybercrime is on the rise. The cybercrime industry is getting more specialized. Because cyberattacks are largely massive and automated, searching for an “opportunity”, you don’t need to have a special public profile to become a target.
This is true not only for companies but also for individuals. For example, the following is a graphic of data breaches up to September 2022. (A pity the authors haven’t updated their great graphic.)
If the data breach contained usernames and passwords, chances are a percentage of those passwords got decrypted and resold on the black market. If you use the same password for different services, bad luck, because in a short time cybercriminals will try to use your Facebook password to access your Gmail account. You know what follows: they reset your password and begin taking control of many other online services you use that rely on your email as a recovery mechanism.
One Simple Step You Should Take to Reduce Risk Significantly
There is one thing you should do today to significantly reduce the risk of being hacked: use a second factor to authenticate your online accounts. If you are a company, embrace this for every user in your company.
Second-factor authentication (2FA), also called Multi-factor authentication (MFA), or One-time password (OTP) is configuring your online service to ask you not only for your password but also for a token. This token is a number that is generated by an app every 30 seconds. It also can be sent to your email, or as a text message to your phone. (For different reasons we won’t explain here, the safest method is relying on an app.)
With 2FA enabled, even if someone manages to steal your password, the cybercriminal won’t be able to access your account because he cannot generate the token.
If you are a company or an organization, you should do a complete assessment of your company’s current situation. This is not intended to be a quick fix, but a simple step that you should take nonetheless.