Small business online security – lessons from the Twitter hacker

For those that aren’t immersed in news about web startups and the world of social media, you might have missed the biggest story of recent weeks, the hacking of Twitter business documents by a Frenchman dubbed Hacker Croll.

By breaking into a personal email account of a Twitter employee, he was able to infiltrate most of the company’s highly confidential documents, email and other details held on their own servers and in Google’s ‘cloud-based’ applications.

He then passed over 300 of these documents to the world’s most widely read blog about web startups, TechCrunch.

For the geeks among you the fascinating details of the hack were revealed by TechCrunch yesterday.

Twitter security FAIL. But how robust are the passwords of your staff?

Lots has been made of the fact that Twitter’s security house of cards came tumbling down because like many a good web startup the company used cloud services.

Their documents, email etc were all held online on other people’s servers, like Google, rather than on their own hardware in a broom cupboard.

But the reality is it’s people that are the problem, not where your data is.

The key component of Hacker Croll’s successful break in was being able to guess the personal Gmail password of a Twitter employee.

Because, like the huge majority of people, this individual often used the same password for many accounts and also had the answers to additional security questions like ‘what’s the name of your pet’ inadvertantly spread around the web on social networks, the French hacker soon had his hands on Twitter’s crown jewels.

Secure passwords are at the heart of the problem. Most people simply don’t use them, because they can’t remember a four digit pin number let alone unique passwords for every application, computer or web service they’re signed up to.

This is a major problem. And it’s not just online security that suffers in this way.

I used to work at a FTSE 100 bank where everybody in the department had their computer password written down in the team personal assistant’s rolodex.

So how do you improve password security online and off for your business? Here are some tips:

1. establish a password policy for your business to which all staff are required to adhere;
2. encourage staff to use unique passwords for each computer or service they use;
3. make sure all passwords have eight or more characters;
4. do not allow passwords to contain real, comprehensible words otherwise guessing is about as hard as playing hangman;
5. suggest ways to make passwords, long, secure, but memorable: for example pick a favourite line from a song, poem or nursery rhyme and use the first letters of each word to form a password i.e. “You have brains in your head. You have feet in your shoes.” could be Yhbiyh!YHFIy5;
6. remember to mix upper and lowercase characters in the password together with special characters and numbers.  In the example above, the exclamation mark is used in place of a full stop (which you couldn’t use in a password anyway) and the last ‘S’ is turned into the number 5;
7. make sure answers to password hints are false i.e. if asked ‘what is the name of your pet’ make sure the answer is the name of a friend’s dog, not your cat;
8. if you really have to write down passwords, don’t store them on a computer, but write them on a piece of paper and put them in the company safe.

Just the above measures will dramatically improve your online and physical computing security, but it’s not an extensive list.

Let us know, if you have any password security tips we’ve missed.

Alex is the founder and editor of SmallBizPod, the UK's first podcast dedicated to small business, start-ups and entrepreneurship. Alex writes about topical small business issues, entrepreneurs and anything else that catches his eye here on the small business blog. http://www.smallbizpod.co.uk