Passwords are key for your small business' cyber security

Dom: (00:00)
Passwords are the most important thing you can do for IT Security.

Ash: (00:05)
Welcome to cybersecurity demystified where we explore the cybersecurity risks that small and medium sized businesses face and give you some easy actionable advice to make your business more secure. So I’m here with Dominic. My name’s Ashley. Dom, Just introduce yourself.

Dom: (00:21)
I’m Dominic. From my experience as a chief information security officer, I realized that small businesses are as much, if not more at threat from a cyber attacks than the big guys.

Ash: (00:30)
And I’m Ash. I run a small business and I didn’t take cyber security seriously at all until my business got hacked and I saw the consequences. So Dom, first episode, we’re going to talk about passwords. Why are we talking about passwords? Why is that our number one episode?

Dom: (00:46)
Passwords are the most important thing you can do for IT security in the same way your keys are the lock to your house, your passwords are the lock to all of your systems online.

Ash: (00:56)
And I suppose when you think about your house keys, when I got a new cleaner, I wasn’t particularly keen on giving a, a set of keys until I could trust her. So the fact that I had a password that I use for my personal accounts I use for my work accounts. And then you were, I think shocked to find that I was also sharing that password with other people in my company.

Dom: (01:16)
Yeah, absolutely. And you wouldn’t do the same with your house keys would you? You wouldn’t have 10 copies of your house keys. The one that opens your house, one opened your, your back door one opens your office, one that opens you, your garage

Ash: (01:26)
But s that quite common? Because I have five people who work for me. So we have services that we use all together. Yeah. Is it not fairly common people use a sort of set password.

Dom: (01:38)
Most people will have one password that they use everywhere. Uh, and that password generally isn’t very secure and they’re gonna use that across all of their systems, whether they are important systems or um, or lesser important systems. And they’ll tell everybody, they’ll say, Hey, just log into my system, here’s the password. Um, not realizing we’re not thinking that they’ve given that same password, uh, for their online banking or for Facebook, which has all of their personal data in it.

Ash: (02:02)
So are we, we’ve actually got a great clip for that.

Speaker 3: (02:05)
You know, we’ve been hearing a lot about cybersecurity lately. So today we sent a camera out onto Hollywood Boulevard to help people by asking them to tell us their password. And this is how that went.

Speaker 4: (02:17)
We’re talking about cybersecurity today and how safe people’s passwords are. What is one of your online passwords currently?

Speaker 5: (02:24)
It is my dog’s name and the year I graduated from high school.

Speaker 4: (02:28)
Oh, what kind of dog do you have?

Speaker 5: (02:29)
I have a Chihuahua Papillon.

Speaker 4: (02:30)
And what’s its name?

Speaker 5: (02:31)
Jameson.

Speaker 4: (02:32)
Jameson. And where’d you go to school?

Speaker 5: (02:34)
Um, I went to school back in Greensburg, Pennsylvania.

Speaker 4: (02:36)
What school?

Speaker 5: (02:37)
Uh Hempfield area Senior high school.

Speaker 4: (02:38)
Oh, when did you graduate?

Speaker 5: (02:39)
In 2009.

Speaker 4: (02:41)
Oh, great.

Ash: (02:42)
So I suppose that clip shows how easily people inadvertently will give their passwords away. Whereas if someone came up to you in the street and said, can you hand me house keys? You wouldn’t,

Dom: (02:53)
yeah. You treat that quite seriously wouldn’t you.

Ash: (02:56)
So there’s this report I’ve got in front of me from, I always say this wrong, it’s the national, the national cybersecurity center. Right. Okay. And they released a list of the most commonly used passwords recently. They say in that study that in their dataset, 23.2 million victim accounts worldwide, were using one, two, three, four, five, six as a password.

Dom: (03:17)
Absolutely. And hackers will, will know this, they’ll use that list themselves. They need to, uh, and they will just brute force a lot of accounts or they’ll try every single combination, every single password. So they’ve got software that can just use your user name and try every single password from this list, um, to see if that’s the part where you’ve used and then get access to your systems.

Ash: (03:37)
Because I noticed on this document that it, that it says, if your password is on this list, change it immediately because…

Dom: (03:44)
For exactly that reason. Yeah the first thing we’d try if we’re trying to hack into your system is try the obvious ones. Password, one, one, two, three, four, five, six, QWERTY. Um, you know, we’ll try a lot of, a lot of people’s names.

Ash: (03:58)
Well, actually a couple, you mentioned names. That was one of the things that shocked me on this report is the number one name that’s apparently used as a password is my name, which I don’t know why Ashley would be the most common,

Dom: (04:11)
Well maybe Ashley’s aren’t very secure people.

Ash: (04:14)
Well, mine isn’t, I’m not giving away my password, but yeah, I mean, looking at this list, you’ve got things like monkey. I love you. Dragon. I mean phrases that people might think, well that’s, yeah, that’s a nice word.

Dom: (04:26)
They’re really, really easy to use. They’re, they’re memorable, which is why people pick them. Um, they mean something to a lot of people, but they mean something to a lot of people.

Ash: (04:36)
So Dom, what are the consequences of not having a secure password?

Dom: (04:39)
Well uh an easy to guess or to brute force password opens up whatever systems you have to anybody. By having a simple password, hackers can can breach any one of your systems. Simple things like Facebook and they can post all of you your messages. They can access your email. Maybe they want to send messages as you or just read read messages and recently there was the ring security system where people use passwords to access that,

Ash: (05:05)
right? Yeah, and the clip’s quite shocking. I mean I’ll play it now, but a little girl having someone talking to her and being able to spy in her bedroom.

Speaker 5: (05:13)
Those recent chilling invasions of privacy

Speaker 6: (05:16)
that tree is looking really, really good. Guys

Speaker 5: (05:18)
played out in home after home.

Speaker 6: (05:22)
I’m your best friend. I’m Santa Claus

Speaker 5: (05:26)
with hackers. Peering in at times taunting residents through their ring camera systems.

Speaker 6: (05:31)
What’s up homie? I still see you

Speaker 5: (05:34)
now prompting a class action lawsuit.

Ash: (05:36)
I mean it raises a whole point about privacy issues, but it is actually down to something that’s not particularly complicated. It’s people not having secure passwords

Dom: (05:46)
or often just the default password. You know, many of these systems come with a standard password and if you don’t change it, then you’re, you’re really leaving yourself absolutely open.

Ash: (05:58)
Okay, so let’s move on to solutions. So what should I be doing with my password?

Dom: (06:02)
Well, there’s a lot you can do to make passwords memorable to yourself, unique to yourself, but, but not easy to guess or to be brute forced. The advice at the moment is to use a combination of words or a sentence almost that makes part of very, very long, uh, so much harder to guess, but still very memorable and easy for you to remember. Uh, I recommend also then substituting some of the characters for, for letters or or just swapping them around. So perhaps instead of Is use exclamation marks, uh, instead of, Oh, use the number zero.

Ash: (06:34)
I don’t want to give away a password, but, uh, on a previous internet service provider that I was using, it had a code, a set code on the router, which was two very random words next to each other. When I first saw it, I thought, how on earth am I going to remember this? But it actually stuck in my head because it was weird.

Dom: (06:52)
Yeah. It’s much easier to remember actual words that you use than a combination of 10 random letters, numbers and characters. Well, what you can also do is make the password unique to each service so that if you only have, say you have two or three words, but then you have some, some ending perhaps, uh, perhaps the, the first three letters of the, of the service’s name. Uh, that way you don’t ever use the same password twice.

Ash: (07:19)
Oh, so that’s quite interesting because I’ve seen the advice that you should have different passwords for everything, which clearly is a complete nightmare. And then you end up writing them down somewhere or putting them somewhere else on your phone, which is another security risk. The other one that came up that I read about, I found an article on the web where someone had talked about in the company that this person worked at, you had to change your password every month and everyone found that very frustrating. And so he used his password as a form of NLP as a way of changing his behavior. So I think the first month he wanted to quit smoking, the second month he wanted to save money to go on holiday. And so every time he typed in his password, he was repeating this message back to himself. So, so it was solving two things.

Dom: (07:59)
Great idea. You have to type it in. So many times you have to remember it, this will force you to do that. Brilliant.

Ash: (08:04)
That brings me on to the next question about how often as a small business owner I should be changing my password or how often my staff should be changing their password.

Dom: (08:12)
Well, in the older days when everyone’s password was very simple, uh, I’d have recommended you change it very frequently, but people just ended up changing it to password one then password two password three, which really isn’t a great system. If you have a longer, more complex password, a couple of words that are memorable to you and, and, and something else, as we talked about earlier, then you probably can, can go a little bit longer between, between password resets.

Ash: (08:40)
So wrapping up, if there was one thing that someone listening to this should take away, what would it be?

Dom: (08:45)
Yeah, always use a unique strong password.

Ash: (08:48)
Okay. So super simple. But as we said at the beginning, this is something that needs to be taken seriously because it has such a significant impact. So apply that simple learning and be more secure. So thanks for listening. Dom and I are the co founders of a business called cyber alarm which is a burglar alarm for the internet, a cyber security platform that’s designed from the ground up for small and medium sized businesses. And how does our service relate to what we’ve been talking about today, Don?

Dom: (09:18)
Well, one of the things we do is we scan the dark web, which is a, an area of the internet notoriously used by hackers and other criminals. Uh, and we look there to see if we can find your username and your password from various hacks that have happened in the past. And if we do, it means that that username, that password is known publicly to anybody that wants to access that information. And we let you know in clear and simple terms that that’s there and what you need to do to protect yourself.