What would you do if you were caught in a data breach?
Well, what would you do if you were caught in a data breach? Unless you don’t look at any sort of tech news you will have noticed how many data breaches there seem to have been in the last few months. Speaking for my own tech usage, the most significant has been the LastPass hack of backup information. More about that later and the lessons I’ve learnt.
This article covers what you can do to protect your business and the personal data you process. So practical tips and actions you can take now whether any of your business (and personal) systems have been involved in a cyber-attack of any sort or not.
However, I can’t NOT mention GDPR and how cyber security is a fundamental part of your responsibilities!
The 6th principle of GDPR is integrity and confidentiality. The security of the personal data you handle is a fundamental part of this.
I own up to being a huge (shiny) tech fan but I’m not a technical expert when it comes to cyber security. I do have practical experience from working remotely for the last 9-plus years. During that time, I liaised with a cyber security company that carried out monthly security scans and annual pen-testing of the international remote team I worked with, but my greatest talent remains my need to know what’s going on, what things mean and how to deal with them – I’m just nosy.
I have no doubt that you will be familiar with some of the actions I’ll be talking about today because I’ve been banging on about them for ages and they are exactly what you’ll read about if you follow any cybersecurity or tech blogs and publications.
So, who’s been attacked recently?
There have been a lot of successful attacks, but I think I’m more aware because some of the ones in the news are systems, platforms or services that I or my clients use, including LastPass password manager, PayPal, Mailchimp, and Norton LifeLock Password Manager. I don’t use the Norton password manager because I use LastPass (irony?) but I do have Norton LifeLock antivirus suite on my devices. So yes, I have been caught in a data breach (or 3) and I’m feeling a bit negative about the risks of getting caught up in other breaches. In reality, this is never going to be a case of if but when and how often.
That’s why I thought it would be helpful to go through what happened with LastPass and then refocus on the practical basics that are still everyone’s best option.
LastPass – what happened?
Briefly, an attack was identified in August last year but it wasn’t apparent what data had been taken until after their investigation. When that was announced on December 22, it became clear that a lot of data, including sensitive information, had been accessed and downloaded by hackers. They took back-ups of password vaults that include all sorts of notes and important information that users will have stored in them. The (small) upside is that providing a strong master password was used with the encryption, the bad actors “may not” get into the vaults quickly, if at all.
What have I done?
It took me a while to decide that I didn’t feel secure leaving it to chance that my own vault would never be accessed and so this is what I’ve done to protect things going forward:
- I changed my master password and increased the iterations to 310,000. This is the number of times a password is hashed (changed into an encrypted string of characters by an algorithm) before it’s stored in a database – the higher the number the more secure. It would take a very long time to brute-force hack the password.
- I went through a very time-consuming process of changing all of my passwords, starting with the ones with the most value to hackers first and then the others later. I also changed my username for some of the accounts/access to add a further level of difficulty for any criminals.
- I cancelled and requested replacement credit and debit cards. For those of you who know that I live in Egypt, this is not my favourite thing to do as I have to have a way to get them sent or brought to me as the post doesn’t cut it.
How does that leave me and my passwords, etc?
As far as passwords are concerned, they’re all dealt with. For any other information, there’s nothing I can do about the risk that they might be accessed other than to stay aware of potential phishing attacks. Oh, for a time machine to go back and not use my vault as a convenient place to keep the information I might otherwise mislay. Oh, wait a minute, that was the purpose of having my LastPass account. Not that I’m peeved or anything.
And what about changing my password manager?
I’m struggling with this because I like the interface of LastPass and I’m still to be convinced that one of the other possible choices is so much better than LastPass. The most likely candidate at the moment is BitWarden BUT I want the same convenience with less likelihood of getting hacked (again). I’ll keep you posted on that!
What are the steps you should take if a service you use has been hacked?
If you are caught in a data breach, you may be contacted by the platform or service with details of the breach and with suggested actions to take. In which case, follow those but also bear in mind that it may be sometime later before the full extent of the data theft is fully assessed and released, as with the LastPass breach.
Pay attention to the wording and do a bit of research yourself by Googling the name of the organisation and data breach as your search terms. I like the Sophos Naked Security blog and have subscribed to their emails – they don’t exaggerate and do explain the implications. There are others such as The Hacker News but they tend to be very technical for most ordinary users.
Regardless of where or how you hear about a breach, there are some standard steps you should take when you suspect your account may have been included in the incident:
- The first step is to change your password – this is very easy if you use a password manager, which is recommended by security professionals (regardless of the LastPass breach) I’ll run through the password format recommendations later.
- You may decide to change your username if it’s not your email address but your password is the most important element of your login
- Set up MFA if you don’t already have it activated. *Do this for every account that offers it!
- If payment card details have been taken and they are in any sort of readable format, get a replacement or temporarily block it until the situation is clearer. Stealing of this type of information is less likely because of the security that must be in place for card acceptance. However, don’t assume without checking!
- There may be other information that has been compromised. Take this as your prompt to be very suspicious of any communication from the affected organisation. N.B. don’t let your guard down for other possible phishing, vishing or smishing attempts related to the information that was stolen!
Where can you check to see if your email address or phone number is included in a breach?
https://haveibeenpwnd.com gives you the details of the breaches your email address or phone number has been caught up in. In my experience, this won’t be the first place this information will be available – as I mentioned before, for any serious breaches, you should be contacted by the organisation involved (the Data Controller). However, I recommend checking on here from time to time for incidents where the organisation HASN’T informed you. You can register with haveIbeenpwnd.com to be notified or registering with a Mozilla (Firefox) account or your anti-virus provider will also be possible.
Password format recommendations
The (current) recommended password length is 8 characters minimum but longer is better. It doesn’t have to be random, although password managers will create random passwords of whatever length you set, including upper & lower case letters, numbers and symbols. I’ve noticed recently (whilst changing so many of my own passwords) that quite a few organisations are insisting not only on the number of characters but the minimum number of each type of character.
If you still aren’t convinced about password managers, you can use a passphrase that means something to you using numbers, letters and symbols to further strengthen it. The industry recommendation for regularly changing your passwords has changed and this is no longer the case.
There are also security access keys such as Yubi which are USB-type plugin devices some of which store your passwords, etc, in an encrypted form that you plug into your device to use. Some of these keys have biometric access. The functionality and compatibility vary, and I’m still researching these for my potential own use.
There are also password-free access options available such as that used by Microsoft where a code is shown on your device that you then match on the device you have set as the control e.g., your phone. The complete removal of the need for passwords to improve overall security is something that is on the horizon.
What should you be doing before there is a security incident?
What I’m getting at are the checks you should make before you even sign-up for a service or platform for your business. Then, when you are satisfied the service or platform is secure and GDPR-compliant to meet your business’s standards, you have to be sure you have the right settings and defaults in place.
Before you sign-up for a tool, platform or supplier…
Data Protection due diligence is fundamental because of the potential risk involved as soon as you begin to use your chosen tool, supplier or platform to handle personal data. I will just say that you should always take a look at the organisation’s Privacy Notice as your first step as this will give you a clear indication of their attitude toward handling personal data. Ask yourself if you would feel confident if your own personal data or that of your closest family and friends was being processed by them… Does it match your own standards of care?
Enough of that, back to the other aspects of choosing wisely.
Here’s a simple list of things to check for (I’m taking for granted that you like the UI/service itself):
- Read the information on the security protocols, certifications and general approach to data safety on their website. If there is nothing mentioned, be very careful! The UK NCSC has free resources you can use, including links to the security settings information for many popular platforms and services: https://staysafeonline.org/resources/manage-your-privacy-settings/
- Google the organisation’s name and data breach. There may have been one in the past – see what it entailed and how it was handled. If anything goes wrong again, this is the way it will most likely be handled again. Are you satisfied?
- Check the ICO website to see if they are a UK-based organisation – are they registered? If not, this is not a good sign.
- Check their customer support response time for the price point you are considering – is it adequate for your needs?
- When you are setting things up
This is where knowing where the settings are is important. If you are a new user, follow the “getting started” guidance to get started (!) The important and immediate steps before you begin using the service or platform are:
- Login – password, MFA (keep a secure copy of the recovery codes)
- Set up your recovery method, if that is offered as an option.
- Access if you have a team – set up role-level access to restrict access to those who need it.
- Devices – set up biometric, PIN, or pattern access.
- If there are more technical security settings necessary, contact sales or support to get help – do it right from the beginning.
- What about other places where security is essential?
Again, I covered these in a recent blog post (with lots of lovely checklists!). Just to summarise the various parts of your business you should consider:
- Website – As you may know, I use the WordFence plugin for site security. I get a report weekly on the attempted cyber-attacks on my site – and they are many!
- Emails – ordinary and email marketing platforms
- File transfer services (for files too big for email)
- Messenger apps – not just Facebook Messenger!
- Payment accounts e.g., Stripe, PayPal, etc.
- Video conferencing, including Zoom, Teams, Google Meet
- Platforms e.g., Microsoft, Google, etc.
- If you work from home and you have smart appliances connected to the same network as your business devices take care with the security of those appliances too
The overriding message for all of the online services you use is to get all the safeguards you can in place now if you haven’t already done that. Regularly check for anything that looks a bit off, pay attention to any warning messages or emails and act on them. It will take a lot of your time to recover an account and that’s ignoring the blind panic and stress it can cause when something bad happens.
Your Business Incident (Recovery) Plan
The most important point on this subject is to have one! For bigger organisations, they may have a separate plan for dealing with a security incident and the recovery process afterwards. As a coach, consultant, or VA a combined document should be sufficient BUT that’s your decision! You will rely on this at a time when you will be stressed and so bear that in mind in your design process and the information in the plan.
You need a workable plan to deal with an incident and to get up and running in the shortest time possible. If there’s only you, it should be a relatively simple document as you will be the person at the centre of the event.
Include the following:
- Contacts for various services, platforms and people that you work with. Taking the time to pull this information together and record it in advance will save you much time and stress.
- If you like to have more detail, include attachments or URLs – consider if losing access to the internet for any length of time is a real possibility re URLs.
- Design your record document (I use Excel – surprise!)
- Add all your key platforms, people and services with their contact details.
- Your lawful basis for the personal data in the contact details is Legitimate Interest as it’s necessary for you to hold any personal data to use in the event of an emergency.
- Imagine and write down all the catastrophes you consider as likely.
- Record any other information that would help you/your team handle them.
This is a document you would be asked for in the event of a complaint or investigation. The lack of such a document was a shortcoming identified in many organisations by the ICO.
There are recurring themes for securing your business. You don’t have to be a technical whizz but you do have to take the right actions and then keep up to date with them to stay safe.
If you know you need help with your GDPR-related responsibilities but aren’t sure exactly what type, contact me via OnlineChat or book a free Introductory chat with me and I’ll help you find the right option for you.
At this point, I’m going to mention that my online/live online hybrid course and membership which covers your data protection responsibilities, including help on cyber safety for you, your business and your clients’ businesses will be available in the next few weeks. The format includes video tutorials, live online training, templates for the most important documents, implementation support, and updates. It’s called Step-by-Step GDPR and it’s in 2 flavours:
- For virtual assistants who work with coaches and consultants – this version includes an annual licence for VAs to use the templates with their clients. *If you are a coach or consultant and have a VA you would like to use this framework for your business, you can buy it for them to use but the licence will not be applicable for their other clients (for obvious reasons).
- For coaches and consultants who do everything themselves.