If you’re reading this and use Gmail or any number of cloud based services and don’t know about or have two-factor authentication turned on, then in 2017 you’re going to get hacked.
I’m not trying to be alarmist, I’m stating the inevitable, and when you get hacked, all your own and your clients' secrets will go online for all to see. Don’t be that person in 2017.
Previously we thought that online security was the responsibility of our IT department.
As the recent hack of the Democratic National Committee’s servers, and the release by WikiLeaks of hundreds of DNC chairman John Podesta’s emails have shown, your online security can be compromised by one click on a bad link in an email.
That one click pretty much undid Hillary Clinton’s presidential career, and we know now what happened next.
Why online security has now become the responsibility of employees, not just the CIO
As part of my 2016 Christmas holiday reading, I learned much about how Hillary Clinton’s presidential hopes came undone by a simple typo and a single mouse click.
In an excellent long form piece from the New York Times titled The Perfect Weapon: How Russian Cyberpower Invaded the US, there is an incredibly detailed analysis of what went on.
It is worth a read, not just for the implications it had on the US presidential race but also what it means for you personally and your company.
If the Democratic National Committee can be hacked, then so can you.
What is more worrying is that Podesta wrote a report for president Obama in 2014, so you'd think he would be acutely aware of the risks
So what actually happened and how can you learn from this?
According to the NY Times investigation, Charles Delavan, a Clinton campaign aide, incorrectly legitimised a phishing email sent to the personal account of Podesta – a screenshot from the New York Times article is shown below.
Note Delavan uses the word “legitimate” when he actually meant this is not a legitimate email.
Delavan also insisted that he turn on “two-factor authentication” – more on that in a moment including a plea from me (and your IT department) to do the same, even with your personal accounts.
In an additional review on the Financial Times website, we see that the phishing attempt was successful because it looked like a legitimate email, even coming from what looked like email@example.com.
It managed to trick a good many people, and the result is thousands of private and confidential emails are now in the public domain.
How Gmail is the key to the kingdom for hackers
As was shown convincingly in this blog post from Cloudflare chief executive Matthew Prince in 2012, a sophisticated hacker was able to get into Matthew’s Google apps account using a combination of a social-engineering hack of an AT&T account and the fact he was using a private Gmail account as an alternate email address.
From what I read from the NYT investigation, the Podesta hack was much simpler.
As is common in cyber-security cases, a “phishing” email was sent to Podesta that looked very similar to a real email from Google, suggesting that “someone has your password” and offering a link to click to change your password.
As we know now, the link he clicked went to a website that looked identical to the Gmail change password page, and in an instant, the hackers had full control to his Gmail account with a shiny new password.
The irony here also if you look at the fake email, it even contains a recommendation to add 2-factor authentication.
Had Podesta done this straight away, then it is more likely that none of the incriminating emails would have come to light and WikiLeaks would not have had anything to share.
The reason you need to turn on two-factor for your entire Google account is that now Google groups your accounts together, once a hacker is in one door, they have the run of the house.
Think about that spreadsheet you have on Google Docs with your passwords, the word document that has all your personal financial information, and the powerpoint you forwarded from your work email with the list of all your clients.
What does this mean for you and your business?
If you’ve read this far, perhaps I scared you at the beginning by saying you were going to get hacked. As someone who works in the creative, digital or online industries, I am sure you have many logins to multiple sites and services.
If you are reading this and don’t know what two-factor is, then stop what you are doing and set aside an hour NOW to learn more and enable the service on all accounts that offer it. To get you started, head to the Google two-step authentication page where it explains everything clearly and the steps to go through.
Each time you log onto a Google site from a new computer, you will be prompted to prove it is you on your mobile. While that may add a few extra seconds to your day, imagine the hours you would have to spend if you got hacked. Each time the “Trying to sign in” message pops up, I think of it as my digital insurance at work.
What the Podesta email hack has shown is that something as simple as believing an email in the day-to day rush of doing business and clicking on a password reset link had massive ramifications.
I firmly believe that online account security is now the responsibility of the employee not just the organisation you work for. When I gave a talk recently to a digital group at a large well known company, I asked the 300 assembled how many had two-factor turned on for their personal accounts.
I counted only a few dozen hands go up in a room of 300. I gave them the same message I am giving here, that the responsibility for online security now needs to be a joint effort between the employee or freelancer and the organisation they work for.
As our private and work lives intersect, who can’t say they’ve emailed a document to their personal address because it was easier to look over it at home or in another office. We gravitate towards the systems that are easiest to use, and in the process bypass many of the security features that have been built into today’s workflows.
How can I possibly remember all of my passwords?
As we sign up for more and more services, it is more likely that we reuse a few favourite passwords to make the process much easier. I’ve even seen “internet password logbooks” for sale like this one.
When I first saw this I thought it was a joke. Stationary companies such as WH Smith and Rymans in the UK as well as Amazon have a whole range of them! The front covers of most scream “ALL MY PASSWORDS ARE HERE”!
I use LastPass to secure over 1,000 sites I use or have used previously. I now have a different password for every site so there is no way I could remember them all.
This is where LastPass comes in, and all I need to do is remember one master password and then use 2-factor authentication on my mobile so I can auto-fill sites via a browser plugin.
If you don’t want to be the one who has you or your client’s secrets published for all to see in 2017, then take my advice: set aside an hour and turn on two-factor on all your online services and social networking sites that support it, then invest in a password manager as a new year’s resolution.
Follow Andrew on Twitter @AndrewGrill