Thursday, April 26, 2012

Alert: Cloud service (Hotmail) experience of Barry Collins, editor for PC Pro

My Hotmail account had been hacked alright, but that was only the beginning of my problems.... Read More

When I read the above article on PC Pro it reinforced the message I am trying to pass on to others about using Cloud services, which appears to be largely ignored by consultants and the IT industry.

Most cloud services use an email address to log on to the services. As you use more services from the provider (such as Microsoft or Google) you continue to place more of your information on the internet. The standard approach to security on computers for years has been a username and password combination. Now with cloud services, when you use your email address, you are providing others with the first part of accessing your internet based data. All others now need to access your data and services is a password.

Now IT people will suggest strong passwords, and may even use strong passwords themselves, but I suspect most people will use relatively easy to remember passwords. If you run a business using cloud services for your staff, how are you making sure every one of those users is using a strong password. Chances are you aren’t. If people can change their own password, then in time there will be a lot of weaker passwords being used. With a recent list of published passwords I obtained from the internet, around 15% of users use a subset of just 100 passwords. That means potentially one in six of your users will be using an easy to hack password. You’ve provided the username as a public email address and human nature will do the rest.

When I reviewed Microsoft’s Cloud service (Office 365) I considered that making the email address public (there was no way to change this, in that when the first email is sent the username is known), was a serious limitation and as a result I wouldn’t actively promote Office 365 to clients. I consider the username you use to log on to cloud service, should not be your email address. Google’s service is only marginally better, but in general for me, still not good enough.

Before you start using cloud services to host your important data, think about the increased risk to yourself and your business. When the data is on your computer behind a local area network, it is still at risk. But once your data is on the internet the risk is much greater. Can you easily see if anyone is trying to access your data? The answer is generally no. If someone logs onto your account without your knowledge could you tell? Again the answer is generally no.

The article by Barry Collins is just one story of a cloud based user’s account being hacked. Had his account been hacked and simply been monitored without any spam being sent out, I’d be pretty confident Barry would never have been aware of his account being hacked. To me that is pretty scary. Then if you check how the one email address is now used across multiple services as the username is bad enough, that the one password is also used is a real concern.

I really appreciate that Barry shared his story so others can benefit from his experience. Before you put your important data on the internet you should do a risk analysis. In effect if someone hacks your account they could get access to all your online documents, correspondence you send to and receive from others, your entire contact list and possibly much more. What someone else could then do with that information is simply beyond our imagination and a considerable concern.

I work on the assumption that every online service has probably had a percentage of their users’ accounts hacked. One day that could be my account. The information I have stored online is very limited. I don’t store client information online. I don’t have most of my client’s email addresses or details online. I have a great deal of public content online, but otherwise most of my content is kept offline. There is still a degree of risk because even if my content is offline, I am still connected, but the risk in my opinion is much lower and in life, it is never possible to remove all risk, but it is good to minimise risk where possible.

If you’re considering using online or cloud based services, make sure you inform yourself as to the risks. Start by asking yourself what would happen if all the information you have online was made publicly available to everyone. What exposure would that mean to you? Consider legal risk, risk to your reputation, potential loss of customers, possible inconvenience and costs should your information become public. When you put your information online you increase your risk. Make sure you educate yourself as to what those risks could potentially be and are they offset by the use of the online service.

- Kelvin Eldridge
www.OnlineConnections.com.au
Call 0415 910 703 for help with your computer problems.
No problem too small.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.