Earlier this year, between January and March of 2019, many email account holders fell foul of another high profile email security breach.
The attack centred upon a batch of free Microsoft email accounts – certain users of the Hotmail, MSN, and Outlook clouds. Although the problem was recognised and fixed relatively quickly, it does serve to show the importance of having additional security measures in place, and not relying exclusively on a single username and password for protection.
In this case, the cyber criminal(s) penetrated the system not by hacking individual accounts but by hijacking an administrative account used by a member of Microsoft’s customer support team. This gave them ‘back door’ access to a batch of email addresses and customer account data. In some of these cases, the attacker would have been able to read the emails and presumably gather details of users’ contacts and the correspondence between them.
Microsoft has not confirmed exactly how many people were affected but it has issued notifications to all those who were. You can read more about this here.
In this case, no customer was at fault – the attack came via a different route – but the attack does show how important it is not to assume that email correspondence (particularly unencrypted correspondence) is secure. Any sensitive data contained in those emails – such as passwords, bank details, important customer contact data or documents – could potentially have been at risk.
It is especially important to keep email accounts secure. They are often used as part of automatic “password re-set” features on other platforms, and email addresses are also often used as user names when logging in to other systems. There are numerous links between email accounts and people’s wider security systems, so any microsoft breach is potentially serious.
In this particular instance, there is no suggestion that attackers were able to obtain individual email passwords, but as a matter of good practice, it is always wise to set a unique password for one’s email account. Using the same password for multiple platforms is asking for trouble.
At AMP, we have long made the case for two-factor authentication as a way of adding an extra layer of security. A good example might involve logging into a web platform with a user name and password (step 1). This then triggers the website platform to send an SMS to the user’s phone. He/she must then respond to this text (step 2) in order to confirm the authenticity of the request. This is common practice in internet banking, particularly when new payment transfers are requested, but businesses should be applying the same principles to all their vital digital systems.
The basic idea behind 2-factor authentication is that while any single system (such as email) might sometimes become vulnerable, it is much less likely that two independent systems will become vulnerable at the same time. In the example above, an attacker might somehow be able to gain access to someone’s login details for a given website, but unless he/she has also stolen their phone, the second stage of authentication will stop them from proceeding with the attack. It’s a security measure that adds only seconds to most login times, but it adds a very important second layer of defence.
An important part of keeping your business secure is awareness; knowing what forms attacks can take, and how to develop safe working practices right across the organisation.
Human error is often the weak point in a company’s cyber defences, but a simple training session can go a long way towards raising awareness and giving staff a clear understanding of how to recognise and respond to potential attacks.
For more details, please see our IT security training page or call Liam Marshall on 0800 368 7730.