Passwords often a ‘weak point’ for consumers in cyber security

By Aleksandra Sagan The Canadian Press

TORONTO — This month, the University of Calgary paid $20,000 to regain access to its email system after a so-called ransomware cyber-attack.
A year ago, Ashley Madison, a website that facilitates extra-marital affairs, lost customers’ personal information to hackers, who have also recently accessed personal information held by online retailer eBay, Sony and LinkedIn, among others.
Cyber-security experts say businesses of all sizes can be vulnerable to attacks and hackers can manoeuvre their way into any site if the proper controls aren’t in place to detect their snooping.
But as cyber-attacks increase in frequency, there are measures consumers can take to protect the information they hand over to companies online.
“Cyber-risk is becoming a huge business problem,” said Rocco Galletto, leader of managed security services at Deloitte Canada from the company’s Toronto Cyber Intelligence Centre, which helps clients thwart and respond to cyber attacks.
The centre responds to about 1,000 cases annually, he said, though each one isn’t necessarily a full-fledged attack, but could be a lower-priority vulnerability being exposed.
“Consumers are concerned. Organizations are concerned,” he said.
BlackBerry, the Canadian mobile and software company, also entered the cyber-security service business this year, citing a burgeoning industry expected to grow to $23 billion a year by 2019.
There’s strong financial incentive for companies to protect their sites from cyber-attacks. An attack can cost an organization heavily in investigative expenses and other response and aftermath costs, as well as lost business opportunities after its reputation takes a negative hit, according to IBM’s annual global data breach costs study published this month.
The average cost of a data breach is US$4 million, according to the study. The Ponemon Institute sampled 383 corporations in a dozen countries, including Canada, for the study.
In Canada, the average cost of a data breach is $6.03 million, according to the Canada-specific study in which 24 local companies participated.
Hackers constantly scan websites on the Internet, said Rob Moerman, senior manager of the Cyber Intelligence Centre’s operations.
“The bad guys are always looking for vulnerable targets out there, jut like burglars cruise a neighbourhood and look for open windows and doors,” he said.
In its latest quarterly threats report released this month, McAfee Labs said its products detected malicious or suspicious activity 49.9 billion times a day. That’s up 2.4 billion from the previous quarter.
When a hacker finds a vulnerable website, they can expose that crack within minutes to retrieve information like user names, passwords and credit card information, Moerman said.
Just some of that information can lead a determined hacker to more critical data, like a person’s online banking or email password, he said.
“You can go down this rabbit hole where one weak link in that entire process can mean that your entire identity is compromised and all of your information is for sale on the Internet,” he said.
Credit card numbers, for example, can sell on the black market for as little as $1 per card to as much as $25, he said, depending on how fresh the information is, the limit on the account and the bank it’s associated with.
People who rely on the same user name and password combination for all of their online accounts can be especially vulnerable when their information is part of a data breach.
“Whether it’s banking, whether I’m shopping online, am I using the same password for both of those accounts?” he said. “That’s where it becomes a weak point.”
Moerman recommends using complex passwords, changing them frequently and not using the same password each time. He admits this is easier said than done, but suggests password management tools can help people remember all their unique passwords.
Consumers should also always question whether the organization asking for their personal information actually needs it, said Galletto.
For example, he says he’s comfortable filing his income tax return online with his social insurance number, but would avoid sharing it with other online organizations.
“The message is not necessarily that people should be afraid to give their personal information. Just, you know, do it wisely and be selective around the choices,” said Galletto.
Follow @AleksSagan on Twitter.