Information Security has been on our minds at BDB for some time and the events at Talk Talk last November were a stark reminder to our leadership team, as I’m sure they were to boards all over the country, of how seriously these threats need to be taken.
Verizon’s 2016 Data Breach investigations Report identified that 63% of 2,260 confirmed breaches leveraged weak, default or stolen passwords.
We thought we’d write this post to describe two recent steps we have taken to significantly reduce the likelihood of anyone gaining unauthorised access to any of BDB’s systems:
Given the sheer volume of passwords that we all end up having to create online, it is unsurprising that so many of us end up duplicating the same password across multiple sites. Furthermore the studies that we’ve studied show that the passwords we tend to create are both difficult for us to remember and easy for hacking systems to break; the exact opposite of what we really want!
We then discovered Lastpass; Lastpass is one of the market leading password management services and has both made our lives much, much easier whilst also significantly more secure. We now have one very, very secure password which is the only one we now need to remember to access our Lastpass vault and have audited all our existing logins and utilised the password generator within Lastpass to create unique and extremely secure passwords for each and every place website or service we use. We like this method for secure passwords but require it to be >20 characters in length
The Lastpass utility includes a “Security Challenge” that runs an audit on your passwords; are they too simple, are they duplicated etc and gives you a score (the higher the better). In the control panel of the Enterprise version you can see everyone’s scores and we’ve now got a little bit of competition going to see who can get their score the highest!
Lastpass do a free version which is great other than it doesn’t cross platforms, so it becomes a bit of a pain if you wanted to login to facebook on your phone for example. The Premium version is multi-platform and is only $12pa. Another neat feature of Premium is the ability to share logins to particular sites across family members, so if you’ve got a Flickr or Picassa account with all your holiday photos you can share this with your children etc. Given the number of clients who we know have suffered from some sort of identity theft, using a service like Lastpass seems a really sensible precaution.
Lastpass is great, however it does open up another vulnerability: if someone can get into your Lastpass account, they get access to everything. We have therefore put another layer of security into our systems which is a Yubikey; a Yubikey is a small usb hardware device that contains a very strong encrypted password that is delivered with a simple touch of a button on the key.
Each Yubikey is unique and is linked to a particular Lastpass account. So what I now need to login to my Lastpass vault is both my master Lastpass password (the long, secure one), my Yubikey, have it inserted into a USB slot on the computer and be present to touch the button when prompted.
The use of Lastpass has got rid of all those duplicated passwords and has helped us ensure that our passwords are now incredibly strong; it has also made life much simpler as we don’t need to remember any of them, they are all safely contained in the Lastpass vault which logs us in automatically to any site we want to access.
Combining Lastpass with the Yubikey means that it is also incredibly difficult for anyone to obtain access to our Lastpass account. Overall our online logins and secure access is now extremely robust as a result of these measures. Our clients can be assured that we take data security very seriously and continue to keep the matter under review to ensure we have the highest levels of protection available.
Please don’t hesitate to get in touch if you would like to talk to us about these measures or learn how they might with your passwords at home.