All businesses are scared these days of having their data stolen by highly sophisticated foreign computer experts – and yet a surprisingly large number of “hacks” are actually very low-tech affairs, carried out by people with minimal computer skills. The good news is that some simple measures can reduce the risk.
According to a study by the Ponemon Institute, the vast majority of CEOs view sophisticated intentional hacking as the biggest data security problem they face. The vast majority of IT managers, on the other hand, see the biggest threat as careless employees who haven’t received basic security training about phishing, passwords, cloud access, and the like.
To take one example, you might have heard that a St. Louis Cardinals baseball team employee was recently sentenced to jail for hacking into the computer secrets of a rival team, the Houston Astros. But you might not know exactly how he did it.
When two Cardinals employees left to go to work for the Astros, manager Chris Correa required them to turn over their Cardinals laptops and tell him their passwords.
When Employee #1 arrived at the Astros, he used a computer password that was almost identical to the one he used with the Cardinals. Correa was able to guess the password and get into the Astros’ system.
When the Astros suspected something was up, they sent an e-mail to all employees requiring them to change their passwords. The e-mail contained a temporary password that employees could use to access the system and create a new password.
You guessed it – Correa found the e-mail that went to Employee #1. Then he used the temporary password to get into Employee #2’s account and steal even more data.
Prosecutors claimed Correa caused the Astros losses of $1.7 million. And a simple requirement that new employees choose a password that’s very different from the one they used with a previous employer could have prevented this very low-tech, low-skilled attack.