The Line Between Personal and Business Accounts Is Fading
by Adam Arnold
Your personal account is on the Dark Web, and it impacts your job.
That question has been a common theme in conversations with our clients this year. With folks working from home (COVID19) that line between personal and business has become thinner than ever. We are starting to see more and more system breaches tied back to a shared password with a personal and a business account. Small business is especially vulnerable to breaches from this shared password commonality.
What makes this relevant for you? As a user/employee/owner, you are a part of this equation. Here is the equation:
E+A = H
Here are the variables in the equation:
H = Hack
E = Employees
A = Actions
- Clicking on an email
- Entering credentials in a phishing site
- Authorizing a money transfer
- Replying to hacker emails
- Leaving passwords around
- Using the same password everywhere
- Not securing your personal online identity.
This illustrates your part in this equation. Really without you, the user, most hacks would never take place.
That doesn’t mean you are the cause, but you are an essential part of their equation and thus the more vigilant you are, the less likely the hackers are to get in.
So where do your personal accounts come in?
Let’s start with the Dark Web. I am sure you have heard of it. It’s the seedy part of the internet, think drug deals, hacking for hire, and human trafficking. Every day, stolen accounts and access to stolen accounts are bought and sold on the Dark Web. The accounts are used for all kinds of nefarious activities. Guess what, you have a personal email address out there in the Dark Web. It’s your LinkedIn password or your Adobe password or your Yahoo password. Chances are you have a password out there that has been used.
This is where it gets tricky. How does your personal Adobe.com password compromise he business you work for?
This is like the 6 degrees to Kevin Bacon game. Low hanging fruit… Let’s say you use Adobe with your personal email. That account password is DogslikeAdobe. Let’s just say your password is some variation of Dogslikexxxx. So, your company password is DogslikeCompany.
Let’s also say your secondary email in Adobe.com was your company email. I can assure it won’t take any reasonable hacker long to connect the dots to your personal account and business and start slowly trying to breach your company email account using your personal password from an unrelated account. This is just one example. Thousands could be at play here and quite frankly this isn’t far-fetched as we see it nearly every day.
This is a scary thing to consider but your personal account is very difficult to separate from business anymore. So, what can you do as an owner or employer to help prevent this sort of malicious activity?
As an owner:
- Monitor – Subscribe to a service that actively monitors for any company accounts on the Dark Web. These services check daily for new compromises and send a notification to you to institute some form of remediation (password reset, account termination, etc.).
- Train – Institute simple phishing training for your staff. This can be done quite cost-effectively. So even if you are just 5 employees it is something you should consider doing on a monthly or quarterly basis. Often the savviest users are the ones who fail the test.
- Manage – Institute a password management application for your company. You can share passwords securely between team members without making the password less secure.
- Increase Security Measures – Don’t require your users to change passwords (this is a new approach). According to people much smarter than us, forcing a password change every 90 days or something similar causes folks to pick bad passwords. Here is a link to Microsoft password policy recommendations. Institute increased security measures. 2-factor authentication, Conditional access rules (limiting access by country or application/user), web filtering, threat protection, 3rd party backups.
- Institute New Procedures – Institute wire transfer procedures that require phone calls or verifications. This may slow down the transactions a bit but it’s better for verifying authenticity. Better to slow down transactions than it is to lose 10% of your yearly gross revenue with 1 single click.
As an Employee:
- Don’t Use Passwords In Multiple Places – Don’t use the same password or variations of the same password everywhere. Also, make certain your personal passwords aren’t a match or variation of an existing company password.
- Use a Password Manager – It will auto-create complex passwords for you.
- Don’t Write It Down – Don’t write your password down (especially in a digital form).
- Verify Before Clicking – When corresponding via email, verify the sending address. Take a minute to think about what this person is sending. Would your employer ask you for your password via email without a phone call or prior discussion? Also, chances are that the hack of your Office 365 account didn’t come from macr0s0ft.com, hover over the links to be sure they look legitimate before clicking. This is especially important via your mobile device.
- Pick Up the Phone – Sometimes it’s best to pick up the phone and call the other person to verify the transaction.
The reality is our personal lives are blended with our business lives no matter what we want to do to separate them. A quick Google search can quickly tie a personal account to a business account by name or another personal identifier. With the proper amount of security protocol and user awareness, we can limit the possibility of a breach in your organization. An ounce of prevention is worth a pound of cure.