The internet is a marvellous place. From watching cat videos on social media to doing online business banking, there’s an awful lot we do on the web. So it’s probably not an exaggeration to say that much of our lives are online. And there’s a lot out there that you wouldn’t want to fall into the wrong hands.
For instance, we’re talking about your Social Insurance Number, bank account info, passport number etc.—these are your digital secrets. And, of course, that’s before we even get into corporate and business secrets such as customer data or intellectual property. But what if we told you that many of your digital secrets aren’t as secret as you think?
Consider that in April of 2021, 1Password, a Toronto based password manager, surveyed some 500 IT and DevOps employees at large companies in the US, and some of the stats are mindblowing:
- 80% admitted to not managing their secrets well
- 60% revealed that they had experienced secret leakage
- Alarmingly, 77% stated that they still had access to secrets from former employers
And this is far from a rare issue. For example, 1Password also found that 1 in 4 companies have secrets stored in 10 or more locations (think spreadsheets, documents, password managers etc.) Indeed, they also found that 50%of the IT/DevOps workers surveyed didn’t know where all their secrets were. In other words, they’d lost track.
The stats listed above came from 1Password’s ‘Secret sprawl and the next big cybersecurity threat’ webinar, which you can check out for yourself here.
Of course, ‘secret sprawl,’ as 1Password puts it, puts an organization at significant risk. There are hordes and hordes of cybercriminals out there looking for weaknesses to exploit for personal gain. That is the brutal truth.
So what can you do about this?
Many folks put this kind of thing off because they’re overwhelmed by the scale of what they need to fix. It feels daunting and far too time-consuming to tackle. That is entirely understandable. Our advice is to start small.
Begin by reviewing your corporate strategy around passwords, data hygiene etc., and plug the clear gaps. Ensure team members have secure passwords, ensure that secrets aren’t being shared over non-encrypted channels such as email and text and ultimately develop an infrastructure and culture of robust security. This culture includes removing access/changing passwords when team members leave. Creating such an infrastructure and culture doesn’t happen overnight, but that doesn’t mean you should start tomorrow.
Nothing is 100% secure, but the better your processes and practices, the more your risk is reduced. A data breach can result in disruption, erosion of customer trust and financial loss, so anything you can do limit that is smart.
Of course, there are password managers on the market, like 1Password, which can help you manage your password storage etc. In addition, professional data security companies, such as SeekingFire Consulting Inc., can test your vulnerabilities and work with you on remedying them.
The trick is not to bury your head in the sand. It’s tempting as this stuff isn’t always the most fun to think about, but if you do suffer a breach, you’ll regret not getting on top of this common issue sooner.
Here’s a helpful tip to end on: if you can remember a password, chances are, it isn’t strong enough. The best passwords tend to be way too tricky to remember. We would recommend taking it a step further and using a passphrase rather than a password. They’re easier to remember than a complex password but long enough to be difficult to guess (especially using automated methods).
At SeekingFire Consulting, we’ve made the digital world a safer, more secure place since 2005. Based in Kelowna, BC, we serve clients across Western Canada, and we offer a no-judgement, free consultation to all prospective clients. So if you would like to discuss your data security needs, please reach out; we would love to hear from you.
While we have made every effort to present accurate, unbiased and helpful information in this article, please note that it reflects the author’s opinion and is written for the purposes of general knowledge, information and discussion. This article is not intended as legal advice, nor should it be considered as advice specific to your individual data security situation. If you would like to discuss your cybersecurity needs in specific detail, please get in touch with us.