Facebook is making headlines — again — with yet another revelation of privacy failure. A recent security audit found that, since 2012, hundreds of millions of user passwords have been stored in a plaintext format, exposing them to the view of more than 20,000 of the social media giant’s employees.
Facebook is hardly the first company to make the mistake of storing passwords insecurely, but a company worth almost half a trillion dollars should have the budget and expertise to know better. But you don’t need that kind of money to protect your data privacy.
Just because you have an I.T. provider doesn’t mean you’re off the hook when it comes to protecting customer data. Reach out to your provider and ensure they’re taking the necessary measures by asking them some pointed questions:
1. Who holds the keys?
Your I.T. provider needs access to your log-in information to do its job, but that doesn’t mean every one of its employees needs to hold the keys. Credentials should only be held by technical staff working on your specific environment. In a small company of four people, that might mean all of them can gain access. With larger companies, access should absolutely be limited to the specific subset of employees who need it.
2. How often do you change the locks?
If hackers breach the security of your I.T. service provider, they’ve also breached you. As a result, more and more cybercriminals are targeting small service providers. Ideally, your provider should have a policy of changing passwords every 90 days, making it more difficult for criminals to gain access than if employees use the same password they’ve relied on elsewhere. Passwords should also be updated whenever any employees leave so that no one outside the company has access to your information.
3. Do you use two-factor authentication?
Two-factor authentication means it takes more than just a username and password for a cybercriminal to gain access to your sensitive data. When credentials are entered, anyone attempting to log in will be prompted for additional authentication, often in the form of a code texted to the user’s cellphone number. Two-factor authentication provides another layer of security, and honestly, implementing this measure is the entry-level step for defending against modern cyber threats. If your I.T. provider is not using 2FA, it’s time to look for a new provider.
Multifactor authentication, which uses additional layers, is rapidly becoming the new norm. Your business can either buy MFA software or hire I.T. service providers who can implement the protection. If you’re concerned about the inconvenience of these extra steps, a privileged access management solution can help. This measure allows employees to gain network access using only their credentials, but it will prompt them to authenticate if they need to acquire more closely guarded assets.
Of course, implementing these steps is critical, but if you’re implementing them now it means that you haven’t had them in place since you began doing business. Have your company’s passwords already been compromised? Get your free dark web scan! We’ll scan your domain to see whether any credentials associated with your company have been stolen so that if they’re for sale on the dark web, you’ll be the first to know.