Saturday, March 2, 2013

My online accounts have been hacked!

Since I run my own email server, I have the luxury of easily creating a unique email address for every vendor so that I can easily track who has sold me out or if their customer database has been breached, often before any official notice is issued. A few recent high profile breaches of my most trusted online service providers ...

I work in an industry that is under persistent risk of data breaches and leakages, so I am very conscious of the fact that no system can be absolutely foolproof against determined attackers. The key differentiator is whether the vendor has a good plan (aka a runbook) in place to deal appropriately with data breaches.

If you are one of my vendors, here's the recommended plan of action:
  1. Be honest. Come clean as quickly as possible so that your customers can take appropriate actions to clean up their end of things.
  2. Be truthful. Don't dress things up or cover them up in a feel-good rhetoric. Tell me what really happened and what I need to do to take care of business.
  3. Be transparent. Do communicate what you are doing and going to do to clean up this mess, and your plan to keep this from happening again. Don't overdo it, we are not family. An update every couple of days is good enough.
  4. Act decisively. Figure out what you need to do to fix the situation and do it quickly. Evernote's decisive action to reset all passwords is a good example.
  5. Apologise. We are human, you will be most likely be forgiven. A big discount for the next subscription renewal might help. Heck, think of this as a cost of marketing if you are doing it right.
  6. Show your customers that you don't give up! Customers like vendors who (think they) know what they are doing. Put up a good fight!
  7. Don't take it out on your team. After all, they have only done what you told them to do.
  8. Don't be too hard on yourself. You are only human. But be resolute to not make the same mistake twice. Be humble, seek advice from your peers and the experts.
As the consumer of online services, you know by now that you should not assume those with whom you conduct business, are safe from data breaches, no matter if they are big or small. You have to assume that your information will end up in the hands of unintended recipients at some point. You can be a victim or you can choose to proactively manage your risk. With that in mind, here's the recommended plan of action:
  1. If at all possible, give each vendor a unique email address for each account. This can be a real pain even if you run your own email service. But here's one way to do it with Gmail.
  2. Use a different/unique password for your account with each vendor. This is a pain, but it will spare you much more pain in the long run. There are many password managers that can help ease the pain.
  3. Change all your passwords at least once a year. Again, a pain, but password managers may help.
  4. Use strong/random passwords. This is not that difficult - pick a long phrase, take the first letter from each word - there's your password. Studies have also shown that 8-character or longer passwords are much more difficult to crack than shorter ones. This is a moving target with increasing computing power, but you have to start somewhere.
Bottom line, instead of blaming your trusted vendors or the baddies on the Internet, you are the masters of your own destinies. So much easier to take responsibility for yourself than to blame others. Good luck and take care!

No comments:

Post a Comment