WIREDGOV

Blog posted by: Jim Baines, CEO, 06 July 2016.

Jim Baines, CEO of a major US packaging company, recently made a simple mistake which lead to a cyber-attack on his company and left his clients vulnerable to hackers. Jim’s story is the subject of AXELOS' Whaling for Beginners cyber novellas and, in a new series of blogs, Jim discusses his experiences, what he has learned about the importance of cyber resilience and how individuals and organizations need to be better at detecting, responding to and recovering from cyber-attacks.

My passwords are as old as I am (almost): a brief reflection on the LinkedIn hack.

Every time a news story about a company getting hacked appears, I go cold. The LinkedIn hack is no exception. It used to be that I’d see these stories and think they only happened to huge corporations, not relatively modest enterprises like my packaging company here in Peekskill, NY. But then it did happen to me. And, after what seems like a lifetime, I’m still working hard to recover. You can read my story in Whaling for Beginners.

I got caught out by a bogus email that led me to download an attachment (I thought it was a photo of me triumphing on the 18th hole!) and, well, the rest is… a (horrible) history. The attackers used my company to get to my clients: big multinationals, whose trust in me may never be the same again.

We brought in a security consultant to help. Big bear of a guy called Domenic Rizzo. He quickly let me know I wasn’t alone. Cyber-attacks happen so often we don’t even know about most of them. Nobody is immune – particularly people like me in boardrooms around the world.

Rizzo got up my LinkedIn profile and asked me what my password was. I refused to tell him, thinking that was what I supposed to do when a security consultant asked me what my password was. He smiled, sighed, then typed something - paused - and then typed something else. On the fourth attempt he was in.

I was amazed. “Mother’s maiden name?” he asked (knowing the answer). It was. A lot of my (not very diverse) passwords are that personal. That’s how I remember them, how, no doubt, many of us do. I’d used it in various forms ever since the ‘90s. But Rizzo had done his research and, using nothing more than a common search engine and some basic human psychology, had found enough information to make an educated guess.

“The LinkedIn breach happened four, five years ago,” Domenic told me. “It only came to light beginning of ’16 when someone started selling it on the Dark Web; but odds are most people haven’t changed their passwords since then. So, the information, though old, is still valuable. CEOs need to change their passwords frequently.Especially CEOs. Their passwords are the most valuable.

Sounds simple. But it’s true. Do you know how vulnerable you are? Do you behave like you’re the first line of defence for your company?

Want to be secure? Get the full story: Whaling for Beginners Books I and 2 available now

See our RESILIA™ section for more information about cyber resilience.