The hacking of confidential Twitter business documents highlights the vulnerability of online security for startups and small businesses. Here are some tips on how to make your business safer online.
For those that aren’t immersed in news about web startups and the world of social media, you might have missed the biggest story of recent weeks, the hacking of Twitter business documents by a Frenchman dubbed Hacker Croll.
By breaking into a personal email account of a Twitter employee, he was able to infiltrate most of the company’s highly confidential documents, email and other details held on their own servers and in Google’s ‘cloud-based’ applications.
He then passed over 300 of these documents to the world’s most widely read blog about web startups, TechCrunch.
For the geeks among you the fascinating details of the hack were revealed by TechCrunch yesterday.
Lots has been made of the fact that Twitter’s security house of cards came tumbling down because like many a good web startup the company used cloud services.
Their documents, email etc were all held online on other people’s servers, like Google, rather than on their own hardware in a broom cupboard.
But the reality is it’s people that are the problem, not where your data is.
The key component of Hacker Croll’s successful break in was being able to guess the personal Gmail password of a Twitter employee.
Because, like the huge majority of people, this individual often used the same password for many accounts and also had the answers to additional security questions like ‘what’s the name of your pet’ inadvertantly spread around the web on social networks, the French hacker soon had his hands on Twitter’s crown jewels.
Secure passwords are at the heart of the problem. Most people simply don’t use them, because they can’t remember a four digit pin number let alone unique passwords for every application, computer or web service they’re signed up to.
This is a major problem. And it’s not just online security that suffers in this way.
I used to work at a FTSE 100 bank where everybody in the department had their computer password written down in the team personal assistant’s rolodex.
So how do you improve password security online and off for your business? Here are some tips:
Just the above measures will dramatically improve your online and physical computing security, but it’s not an extensive list.
Let us know, if you have any password security tips we’ve missed.
This post doesn’t seem to address any of the problems specific to webapps. There will always be users in your organization who don’t follow these rules and without knowing everyone’s password how are you going to enforce these rules?
When businesses run applications themselves they can usually set password policies, firewalls, logging etc. In cloud-based applications you don’t have any of these options.
Richard, I defer to your greater expertise in this area and agree that you’re reliant on the common sense of people you work with.
I thought in the case of Google Apps Premium you had pretty good control of passwords e.g.
http://tinyurl.com/8j4l3h
That’s interesting that Google is doing that! I couldn’t see it mentioned on their site. Another thing that would be useful to see would be a list of failed logins with times and IPs so that you could monitor security. Also flagging access from unusual IPs or even limiting some content by IP address (sensitive stuff that shouldn’t be accessed outside the main office).
I don’t have Google Apps Premium so I don’t know if it has that.
Unless I’ve missed it, which is possible, I don’t think that level of reporting or IP control is available.
I’m sure Google has something in place to prevent brute force attacks. The Twitter hacker didn’t use brute force, but cunning and human frailty.
I’m sure google do have something for brute force.
Though it might have stood to staff there out that the content was being accessed from Europe rather than the main office or any homes of the staff. The person using the account went on undetected.
Great point Richard.