Businesses of all sizes, but particularly small- and medium-sized ones, are at risk of a particularly sneaky cybersecurity threat. This peril is unique because it is hidden in plain sight and springs from an unlikely source: Family.
The fact that the hazard is often unintentional does not reduce the risk — indeed, the very nature of family (including trusted employees, friends and relatives, as well as siblings, children, parents and other bloodline relations) tends to increase the odds of a successful cyber incident. Why? Because a business owner or other individual with access to sensitive data is more likely to share passwords, devices and other “keys to the business” with a member of their (extended) family in the belief there is less chance of misuse by a trusted individual. But that is a mistake – even if the business has robust cybersecurity services in place – because a family member does not have to be malicious in order to do harm.
Remember that once you hand over a password to another person, you simply do not know how they will handle it. One danger is that they may jot down the password or share it with someone else who may then share the password with another individual, all the way down the line until it reaches an ill-intentioned person. Or the trusted individual you originally handed it to may write it down on a piece of paper that is left in an unsecured location — leaving it visible to unauthorized parties. Regardless of the specific circumstances, your password’s next stop is likely to be the Dark Web or some other menacing location.
Shared devices are another common threat vector. How many times does a small-business owner bring his or her laptop home, and a spouse or child asks for access so they can do homework, create a shopping list or engage in some other innocent task? The problem is that the owner has no way of knowing what happens next. That assignment your son or daughter is working on will likely require them to log onto their school’s network — and just how secure is it? Or, as children, adolescents and even young (and older) adults are prone to do, they may log onto a gaming or other site – or even check and open their email – potentially enabling a program to covertly download malicious software onto your device.
Once a device leaves your hand, you are no longer its custodian and typically have no way of knowing how the device is being used, until it is too late. The danger may be compounded by the use of certain browsers, which, depending on their settings, may display a list of stored passwords, including those of bank accounts and of other sensitive data.
Fortunately, the solution is simple — although it may not be painless: restrict access to passwords and devices on a “need to know or use” basis. Do not circulate passwords unnecessarily; make sure you change them on a regular basis, and do not use the same password for multiple accounts. To further safeguard a password, consider using a password manager, a software application that is designed to store and manage online credentials. A password manager also creates passwords, and usually stores them in an encrypted database that is locked behind a master password.
Along with that, consider using MFA, or multifactor authentication. This adds a layer of protection by requiring another step to the sign-in process before email and other accounts or apps can be accessed. When MFA is enabled, a user trying to access his or own account, or a hacker trying to hijack one will first be prompted to provide an additional identity verification, such as scanning a fingerprint or entering a code received by a phone or other device registered to the legitimate user.
Perhaps the toughest part about all this is informing your family member or other person that they no longer have access to your device, or that you will no longer share your password with them. Some people have a difficult time understanding the importance of security protocols, and how dangerous it can be to bypass them. But the effort is worth it. If a hacker gets access to your personal or business accounts – and often, entry to one results in entry to the other – the hacker will be a like a kid in a candy shop, grabbing all the goodies they can.
Carl Mazzanti is president of eMazzanti Technologies in Hoboken.