This is risk reconnaissance. And I’m Brian Smith with the Insurance Office of America. I am joined today by Simon Lindley, the Information Technology managing consultant for Redstone Government Consulting. Simon discusses several aspects with regards to cybersecurity such as passwords, multifactor authentication, and utilization of USB thumb drives.
Simon, what is the primary prohibitor of online attacks?
Passwords, like when we’re working with a client on a shared service and we need to log in to do something for them on their behalf and so forth. You know, sharing the passwords securely using unique passwords because we’re just getting like, here’s an email with our entire spreadsheet of everything.
So you’re talking about password protecting a document?
Password protecting, like they’re sending us an Excel spreadsheet with all their passwords.
Why would they do that? What would possess a company to send all their passwords to you?
If we’re working on them with a managed accounting service. Managed accounting service where we’re helping take care of their books, we’re getting in, setting up our own accounts. They think it’s easier and faster to just send us everything. And it’s like, well, it is easier and faster, but at the same time we need to reset all those passwords now. Unless you got those funky services that require slightly different combination of passwords, using the same passwords for every single site and service.
Password Management Tools
What would you recommend that a company do if you’re going to work on a project like that?
We use a password management tool, and we invite them (to do so as well) and we have a shared collaboration thing that they can upload those passwords (in an) encrypted and secured (environment). We have access to those passwords and using a unique password for every individual site. So if you use it for Amazon, PayPal, and eBay, if one password gets compromised, you don’t have to go reset all three, you just have to only reset that one site. So, like the Equifax, only your T-Mobile account got compromised. You only have one compromise password, not everything, and you got to go change it from nano 123 to something else.
USB Thumb drives
What are some of the things that you’re finding that are trends or troubling for government contractors and furthermore, do they think they’re going to get hit?
They know they’re going to get hit; they get touched all the time. Our small firm, we’re not a government contractor. We get touched multiple times a day with people trying to get into our accounts. I mean, I can only imagine a government contractor working on something that is very interesting to get access to, whether it’s DOD or whatever. Just getting access to their information. They’d love to do that. So, they’re getting hit every day.
And then, the first question I ask anybody if they’re more cyber prepared – Can you use your USB port on your laptop with a thumb drive? Can you plug it in and copy stuff to it? More than 50% still say they can, so that just tells me they can just take data right off and walk off with whatever they want and most of the time it’s not malicious, but you don’t want that even to be a possibility. It takes very little time for any organization to disable that organizationally wide, within a matter of moments. They can disable all of them. The biggest thing is a culture change and making people aware that unfortunately bad people are out there and they want to take stuff from you no matter what you do.
It’s a common opportunity that you see from companies. That is one of the main things, is the thumb drive access.
Is that pretty common?
Yeah, it’s just a telling, if they’re not doing that, they’re probably not taking the other preventative measures to do multifactor authentication. Making sure when you log into your computer that, you know, if somebody’s logging in at 8:00 PM at night, you’re not near your computer and it’s prompting and you’re on your phone while you’re watching Netflix. Well, why is somebody logging onto your computer at work? You know, deny, you know, but we’ve had users hit approve even though they’re watching Netflix nowhere near their computer. It’s a big culture change instead of just trusting everything and click, click, click. We have intelligent people; it’s just morphing that so that they’re even more intelligent and think like the bad guys. Unfortunately that not everybody’s out there to do good.
Simon Lindley is with Redstone Government Consulting and serves as their Information Technology Manager. www.redstonegci.com