[Editor's note: For this month’s Q&A we have our friend Phil Mauritz talking through why security is important, the risk factors, and real world steps you can take to protect yourself. Phil has built his career thinking strategically and long term both as an investor and as an operator. Phil is currently a Director of Global Business Value and Strategy at Okta]
Who is a target for hacking?
Everyone; if you own, borrow, or use a mobile device, computer, or any connected device in any capacity you are prone to hacking. In fact, you can safely assume that at some point in your life you or someone you know will experience a breach of data or misuse of credentials. An interesting website, haveibeenpwned.com, will actually very quickly let you know if your email address has ever been compromised. With over 11.4 Billion compromised credentials on record I would imagine you could be one of them.
Why should business owners worry about hacking? They don’t have billions of dollars nor do they have large tech infrastructure
No matter the size of your organization, the security of your digital assets as well as your customers and employees personally identifiable information (PII) should be top of mind. Take a small healthcare focused technology organization or a “Mom and Pop” pharmacy down the street. Security should be paramount for not only reputational and lost business costs in the event of a breach, but also for the variety of downstream legal, regulatory (HIPAA in this case), and other post breach response costs; consulting and legal services, restitution to victims, technology recovery, and ransomware/extortion. Other potential costs include possible fines if in breach of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) to name a few; there are many more. According to a widely benchmarked industry study by the Ponemon Institute the average cost of breach for an organization was $3.86 Million in 2020. For companies with less than 500 employees those costs were on average $2.35 Million.
What’s the most common way people get hacked?
Data on this varies by industry and source particularly since hacking itself is a fairly broad term. When speaking of malicious data breaches: compromised credentials (user name, password, etc), misconfigured IT solutions, vulnerable third-party software (malware), and phishing rank among the top methods by which individuals and corporations are hacked. And yes, there are certainly more.
As SMB’s start moving more to cloud services, how does that change how they should think about security?
Security begins with awareness. This applies to cloud, on-prem, or hybrid environments. Every member of an organization should play a role on the security team. They should participate actively in ensuring the security of their customers’ and fellow employees' data and credentials. There are a variety of resources on how to educate and enable your workforce to protect themselves and your organization; I highly recommend adopting and reinforcing those best practices early and often. After awareness comes technology. Your IT and Security experts should be adopting best of breed technologies to protect against the variety of methods used to hack that we discussed earlier.
From a purely technological standpoint, companies should be thinking about how to best layer and enforce authentication factors and policies for the resources that their workforce and customers access. The most basic factors for multi-factor authentication (MFA) include passwords, security questions, and SMS/Voice/Email OTP (one time password). As we know, traditional passwords can be compromised, security questions can be socially engineered, and even SMS/Voice/Email OTP can be intercepted. Layering more sophisticated factors like Mobile/Desktop OTP and Physical OTP tokens ensure higher levels of protection. Beyond that we move to Biometric-enabled push notifications, FIDO 2.0, BYO SAML, and OIDC Authenticators among others. Some of that may seem a bit technical but the key takeaway here is that passwords were the first and oftentimes weakest link. The future is passwordless altogether but we can leave that for another chat.
Securing your identity is critical, personally and professionally. What are the most important steps for people to take to protect their identity?
On a personal level think carefully about what you share about yourself online, on the phone, or in public. Professionally, do the same. Don’t click on links in emails from people or companies you don't recognize. Don’t accept unexpected push notifications. Check to make sure email addresses and embedded urls are correctly spelled and actually make sense. Educate yourself, your employees, and the people around you on how to be safe in a digital world. We lock our doors at night, look for cars before crossing the street, and put our Social Security cards in a safe place; behave accordingly with your digital identity.
What are you reading or watching?
Wait, is this a hack?