people, process, and technology expertise
people, process, and technology expertise

Do you *really* want to know if your company has had a data breach?

“Have I been pwned” tells you if your email address and passwords and other private or company information has been included in one of the large reported data breaches. “Pwned” is internet slang for being ‘owned’ or ‘controlled’. If a hacker has your login credentials, then they have the chance to take far more from you, and even, in a worst case scenario, steal your identity.

The likelihood is that your email address and password has been part of at least one reported data breach in the past few years. The risk to your privacy is heightened if you use the same password for multiple accounts.

It is important to note that “Have I Been Pwned” only covers the major reported data breaches. There are many thousands of other breaches that have not been publicised and are not on “Have I Been Pwned”.

It is possible to do a *further* search on information on the dark web for these smaller, unreported data breaches, and it is both frightening and astonishing to see how many corporate email addresses and passwords are out there.

If a company finds out that it has had a breach, and that breach involved personal data, then there may be obligations to report the breach within 72 hours to the ICO.  Also companies are generally obliged to let their clients know within a similar timeframe, and then there may also be the obligation to inform any customer victims of the data breach. Full guidelines are available, along with a breach assessment, on the ICO website.

So, bearing in mind the above do you want to find out if your company has been involved in one of these *smaller* data breaches?  It is straightforward to find this out with the right ‘dark web’ search technology. But perhaps a better approach is to assume that your company has been breached at some point, and if you now have strong cyber security in place then you are looking good, and you are currently secure, in spite of any past breaches which may have occurred.

If you do not have strong cyber security in place, such as complex passwords being mandatory, along with two factor authentication, then there is the likelihood that cyber criminals have current active access to your network. As an example: poor policies, or poor policy implementation led to one of the big four consulting firms being exposed to an unknown third-party having administrator access to their Microsoft Office 365 platform, for over a year!

To find out more about reasons for and types of data breaches, there is the excellent Verizon data breach report.

It is important to note that once your company has been breached, criminals will spend time on your network, exploit whatever commercial advantages there are to be had, and only once these have all been exploited, will they perform the ‘coup de grace’ of a ransomware encryption and ransom demand, along with perhaps a DDOS attack.  There is the Mitre Attack framework that covers these steps that take place during a breach.

Both the personal data and commercial implications of a cyber attack are critical, and the above underlines the requirement to have strong cyber security technology and practices in place.

************************ offers CIO and cyber security advisory services: helping businesses get competitive advantage from IT systems, while keeping costs down, and data secure.


A note on password safety

Keep yourself protected by *always* having different passwords for different accounts. A good practice is to use a second, more private email address for critical accounts. Implement two factor authentication for any accounts that offer this, use a password manager, and keep your passwords complex and a decent length. Eight is not really long enough. A password of eight characters can be cracked from within a few seconds, up to 1-2 days. A password of twelve characters can be cracked in a day if comprised of normal words, or in 100,000 years (with current technology) if complex.