At a cyber expo attended by UK security professionals, attendees voluntarily shared sensitive data including their name, date of birth and favourite football team – all to get their hands on a free donut.
Technology services provider Probrand carried out the study following news that 23.2 million accounts are still using ‘123456’ as a password, with people’s names, favourite football teams and favourite bands also making up the most common.
“We wanted to put this theory to the test and see just how willing people were to give up their data,” said Mark Lomas, technical architect at Probrand. “We started by asking conversational questions such as ‘How are you finding the day? Got any plans for after the event?’ If someone happened to mention they were collecting their kids from school, we then asked what their names and ages were. One individual even showed a photograph of their children.”
As part of the task, Probrand also asked more direct questions such as, ‘Which football team do you support?’, ‘What type of music are you into?’ and ‘What is your favourite band?’
Whether asking questions transparently as part of a survey, or trying to adopt more hacker-type methods, it was alarming to see how easy it was to obtain personal data – which many people will be using as the basis of their password.
Lomas explains that: “As technology develops, so does the risk of cyberattacks and data breaches, but arguably the greatest consistent vulnerability is employees. It’s crucial that businesses improve processes and technology in parallel with educating employees. Our research shows even the basics still need to be addressed.’’
While organisations can never completely remove the possibility of an attack, there are some simple steps that can be taken to decrease the chance of a security breach.
- Strengthen your passwords – Our study shows how easy it is to lure people in to share sensitive data. It’s important that people don’t use ‘obvious’ information as the basis of their passwords and that passwords are different for different accounts or platforms.
- Make the online log-in process more secure – Activating two-step authentication is a simple way to create a hardened login process. Systems will often ask you to enter your password, followed by a six-digit security code, sent to your mobile device. Many business apps, including Dropbox and Office 365, have this built in for free so it’s well worth looking at.
- Regularly check software and devices – Passwords aren’t the only gateway for hackers. Are your devices up to date? Is there antivirus and antimalware software running on your devices? Is the Firewall active? You should always be able to answer ‘yes’ to these questions.
- Introduce an employee awareness programme – Add cyber awareness training to employee KPIs and objectives. Online courses, workshops and certifications exist to improve awareness and reduce risk.