After news broke earlier this month that hackers had gotten their hands on nearly 7 million Dropbox login credentials, the familiar media chorus of password safety tips soon followed. You likely saw the headlines: "How to Change Your Dropbox Password". "It’s Time to Enable Two-Step Authentication on Everything". "Never Ever Reuse Your Passwords".
It’s not that good password hygiene isn’t important. Enabling two-factor authentication, not using the same passwords for multiple sites, changing passwords every couple of months -- these are all aspects of a smart and savvy approach to protecting the files and data that you store online. But they’re not foolproof. As hackers grow increasingly sophisticated, even users following all the "rules" may see their login credentials compromised as part of an attack. Additionally, for companies whose employees use consumer-facing platforms, enforcing password safety rules can sometimes be a challenge. Whether it’s a result of hacker expertise or human error, when passwords fail, companies must make sure they have a backup plan in place.
Let’s consider the Dropbox incident for a moment. Imagine that you manage a top-secret operation for Company X that involves the creation of an awesome new kitchen appliance. Your research and development team has spent years determining the perfect and most efficient way to create crisp bacon, and finally, the plans for the product are in place. Each engineer has been sent manufacturing instructions and it’s almost go time. And then… a Dropbox leak happens. Unbeknownst to you, one of your engineers had saved the product designs to his Dropbox account. The plans for your prized bacon cooker, the most innovative bacon machine ever, are now in the hands of hackers. And there’s nothing you can do about it.
Sure, you can remind your employees that they should have changed their passwords more often. And you can tell them how to be smarter about creating passwords in the future. But none of that can change the fact that your product is in jeopardy. The whole scenario would be different, of course, if you had a backup plan -- some way to revoke access to these important files immediately after you realize they’ve been compromised, or to thwart hackers from accessing those files in the first place, even if they had a list of passwords at their fingertips. But as tends to be the case with backup plans, having these sort of measures in place requires upfront planning. Rest assured that the time and resources spent on solidifying your password backup plan today will save your company major headaches and possibly financial losses later on.
To protect against the weakness of passwords, companies should ensure that access to important corporate files requires sophisticated authentication. We’re not talking two-factor authentication here -- while that approach may be enough for safeguarding the family recipes you store in your iCloud, protecting multimillion dollar product plans and financial data necessitates having sophisticated access controls and multi-factor authentication in place. Ideally, employees should use one strong credential to log into an identity gateway (like PingIdentity or Okta), which enables them to access all the right applications and data without managing multiple passwords of various strengths. For more traditional IT shops, tying file and application access more directly to Active Directory may also work well enough. Finally, for collaboration with the outside world, organizations should set up a secure means of login for external users, who will not have accounts in Active Directory or be connected in many cases to your identity gateway. Even the sort of straightforward email-based authentication your bank may use is likely better for external users than passwords, but the key is to have the option to mix and match. With these types of controls activated, a password leak won’t even cause you to break a sweat.
Comprehensive Controls
The next aspect of your password backup plan must involve having file-level controls in place. Remember how great it would have been to simply revoke access to those bacon product designs with the click of a button, Harry Potter-style? The good news is this is completely possible, and it does not require the Accio spell -- just a strategy in place for remotely controlling documents at the file-level. By ensuring that comprehensive controls are in place each time an employee receives important files, you are giving IT a critical capability: the ability to revoke access remotely at any point if there is even an inkling of suspicion that the file might be compromised.
Ensuring that you have the necessary authentication and file-level controls in place means spending time shopping around for the best technologies, plugins, providers and advisors. But it’s also about employee education. While file security may not be the most thrilling topic to discuss with your teams, it’s imperative that employees know to stay away from certain file-sharing services and avoid high-risk apps. Regardless of how strong your backup plan is, it will require support and compliance from employees to make it truly foolproof.
If the series of recent data breaches and password leaks is any indication, we’re at war and the security of personal and business data is at stake. It’s time to step up your game and get serious about data security, and that means investing time and resources in a password backup plan. Maybe you don’t see the need for it now, but someday you’ll be really happy you did.
Image Credit: Nata-Lia/ Shutterstock
Ryan Kalember is the chief product officer at WatchDox. With 15 years of experience in a variety of roles in the U.S. and Europe, Ryan has an extensive background in information security. Prior to WatchDox, Ryan held positions at HP, ArcSight, VeriSign and was a founding members of Guardent’s consulting practice. He received his bachelor’s degree from Stanford University, where he studied fault tolerance, cryptography, and authentication algorithms.