Interesting reading recently with the news that local legal advisors, Freehills, appear to have compromised the process of selling around AUD $100M in assets on behalf of their client Commander.
An article in The Australian reported the incident as follows: "Freehills this week sent confidential passwords to almost 100 people connected to companies interested in bidding for some, or all, of Commander's assets. But in an embarrassing email glitch, each participant in a sale that has been code-named Project Larry was sent the passwords of every colleague, rival and adviser associated with the sale."
Um, OK. So Freehills have sent a copy of every potential bidder's username and password to everyone else. Apart from thinking they could have just saved time and just used one shared account for everyone, I'm reminding myself that there is room for human error.
And of course, if there commercially sensitive information available after gaining access, then of course there will an appropriate level of security given the perceived risk.
After all, Freehills provide leadership in this area through their own client advice. Their website reads in part "Our approach is to find practical and commercially viable solutions to privacy and data protection issues." Really?
How about this little basic - if information has any significant commercial value then using single factor authentication (eg username and password) doesn't work. Regardless of human error, just the basic step of using two factor authentication would have prevented this scenario from unfolding. Using a single factor to authenticate means everything required to access the commercial information can be found in one spot. And "found" they are - daily - via password sharing, post-it notes and mistaken emails.
I'm not sure if I'm alone, but I suspect Freehills may not be in Commander's good books. And a couple of their clients (and prospects) may just be taking another look. And when you think about it, that is a significant factor for them and, possibly, for you. Looking beyond the actual incident, what is the PR value of being exposed as the apparent source of a major security incident?
If you're a bricklayer, chances are that a) you won't have a major incident, but also b) if you do that it may not severely impact your business. After all, there's not that much critical client information the bricklayer will have. Except perhaps for credit card information, but if you're dealing with a brickie with a bad track record then you can always choose to pay by cash, cheque or direct deposit.
But if your business is trusted with significant commercial information relating to your clients then the ramifications can be far worse. It can spell the end of the organisation - even sizable ones. It can also affect factors such as share price, the ability to attract (and keep) clients, and the confidence of employees, shareholders and suppliers.
So what to do? Essentially it comes down to risk - exactly the area where Freehills is advising clients. I'm no expert in that specific area, but as a general rule I'd say multiplying the cost value of an "incident" by the probability of an incident occurring will give you a guideline. Then identify the means by which you can change that probability, then factoring in the cost involved to implement those means and you have a workable model. Albeit quite basic! I'm also sure there's plenty of more thorough models around should you care to look. (Find some, let me know!)
The obvious tool to start with is stronger authentication. There are a number of inexpensive tools around now to make it much easier. No, it's not bulletproof but it will require someone to go to reasonable lengths to circumvent it. And it would prevent mistakes like seen above. In fact, for a tiny amount of expenditure the outcome could have been much different (and saved me this rant)!
No comments:
Post a Comment