By now you’ve probably seen a number of sites issue warnings and suggesting (or in some cases demanding) that you reset passwords. While it’s not uncommon for sites to ask users to update security details if they are concerned about a security breach, for so many to do so at the same time suggests there was a major incident affecting a lot of sites.
There was – That incident was Heartbleed.
This article will explain the incident, but if you’re in a hurry, skip to the end for some practical tips to improve your online security.
What is “Heartbleed”?
Heartbleed is not a virus, it’s a description of a flaw which many attackers are already using to steal information. In a nutshell, the Heartbleed security flaw allows attackers to steal information from Internet servers. As many as two thirds of all websites may have been vulnerable, and operators have been frantically updating to more secure software and notifying users.
Among the most common pieces of information at risk of being stolen are user credentials: Usernames, passwords, banking PIN codes and so on.
Because these are such high risk, many web site operators who found their systems to be vulnerable simply assumed the worst and told their users to change their passwords, whether or not they had any report of a breach.
What’s the risk, really?
The individual risk is relatively low, but the impact could be high, so this is worth taking seriously. Having your passwords stolen can lead to identity theft, fraud… a whole battery of online nastiness.
The risk is compounded by the fact that a lot of people reuse passwords across many sites, so a leak at any one could compromise many more.
If I haven’t been asked to change a password, am I safe?
No. Not all sites operate responsibly: Some haven’t issued password notification; some may not even be aware they are vulnerable. You should assume almost any credentials could have been exposed, and get cracking on updating them.
The only exceptions would be a password you definitely haven’t used elsewhere, and where the operator has confirmed that their systems were never vulnerable.
Why bother? I’m not a target for criminals.
Unless you’re a high-profile individual, you may not be targeted specifically. But hackers don’t actually work like that: They often use attack tools which scan large chunks of the Internet looking for vulnerable users. Some of these tools even conduct the attacks automatically too, only ‘lighting up’ when they have completed the exploitation.
As with any online security issue, you might not be a target, but you may well be in the firing line anyway. And identity theft is a truly horrible experience.
In short, there’s no reason NOT to take steps to reduce the risk.
So what can I do?
It’s not game over just yet, but the basic principles of keeping yourself safe online have become a bit more critical. In this case, since passwords are the main risk, it’s the question of password management.
Here are five key tips you can use to keep yourself safe (well, less unsafe):
- Change your passwords now if you haven’t already. I really mean it. Yes, it’s a pain, but it’s also an opportunity to get better passwords in place.
- Don’t reuse passwords. Even if you just vary them a little from site to site, that will thwart many attacks. If you’re struggling to remember passwords, write them down on a note in your wallet. Security experts will be aghast that I’m suggesting this, but since most people protect their wallets much better than their passwords, the risk is much lower than if you used the same password everywhere.
- Use long passwords. Forget all that stuff about using complicated symbols – length is what matters. Choose phrases you’re likely to remember – favourite lines from a song, perhaps – and you’ll be a lot more secure. Anything shorter than 12 characters is probably too short.
- Consider using a password manager like LastPass or KeePass. These will generate secure passwords for you and save you from having to remember all of them. I personally use LastPass and don’t even know most of the passwords for sites I use. All I know is they’re very long, practically uncrackable, and never reused from site to site.
- Use two-factor authentication for any service which offers it. This is a massive improvement on just a password, and key service like a Gmail account (which can be used to compromise many others via email-driven password resets) should definitely have two-factor enabled: Go to the security settings in your Google account page to turn it on. If you do nothing else after reading this article, do this.
Do I need to have written agreements with my friends?
Doing business with friends can go awry if everything isn’t put down in black and white.
I and a couple of your friends have an informal agreement whereby they supply me with goods and I pay them when you receive payment. Is it really necessary to have an agreement in writing?
A quick visit to the world wide web would confirm for you the absolute importance of having everything in writing in a business relationship. Many personal relationships such as marriage are underlined by written agreements.
So, if some of us would sign ante-nuptial agreements before entering into an apparently loving marriage, why would we not put a written agreement in place for our business dealings?
Putting a service level agreement in place:
You are friends, right? You are working together and mutually benefitting. What could go wrong?
Consider the following clauses to a service agreement and ask yourself what would happen in your case if there was no signed agreement in place to address these matters. Additionally, consider the legally binding nature of disclosing these points in writing:
• Effective date – when did we start doing business together? Did a problem arise within our working relationship prior to or post this date?
• Obligations – Who is responsible for what? Imagine there is a problem with the product/service delivery. Whose fault is that? If a loss is to be born, who will bear that loss? You? Your friend?
• Payment terms – What happens if you don’t get paid and your friend presses you for payment. Can you blame your client for not paying you? How long do you have to settle the account?
• Delivery – What happens if your friend does not deliver the product that you have promised to your client within the agreed time lines (even if the reasons are legitimate). Your client will claim from you.
• Termination/duration of agreement – Things are not working out, but your friend is dependent on your business, can you simply stop working together. Do you need to give your friend notice? How much notice? What if they don’t agree with this?
• Ownership right – Your client doesn’t pay you but has the goods. Do those goods belong to you or your friend?
• Disputes – Goods have been paid for, but your client has an issue and returns them… who is liable? Your friend says it’s not his problem. Do you carry costs? Does your friend? Who now owns this item?
Get your agreements in writing. All good business relationships should have defined boundaries – this will provide clarity and ensure that all parties are protected.
Why do I need a business continuity plan?
Having the right managers in place is key to business continuity.
I run a fairly small business and am worried about what would happen if I were to become ill. I also find it difficult to take leave because I’m concerned about the impact that my absence would have on my business. What changes can I make in my business that will allow me to step away from the business occasionally?
Sustainability in your business is key to ensuring that it will survive a crisis, should one occur – or even just your absence on holiday. While employing capable management is a step in the right direction, it’s important to be able to delegate tasks so that they are empowered to run the business in your absence.
By hiring the right people and giving them the training and information that they need, you are ensuring that your business will carry on as usual should you need to step away from it, whatever the reason.
Read the full article here.
Do I need a tertiary education?
A tertiary education is an investment in your future.
I have been working for several years and am considering studying towards a tertiary qualification. Am I wasting my time and money or will it still benefit me to do this?
A tertiary education is an investment that will pay back over a lifetime. People with a tertiary education develop skills, have better job opportunities and consequently earn more money. In order for businesses to be competitive, they need people with skill sets that will enable them to perform at a world class level.
The world is changing rapidly and as the business environment becomes more competitive, employers are looking for employees that possess the critical competencies that add value to the organisation.
According to a survey by Regenesys Business School, 48% of South Africa’s workforce engages in further studies for better employment prospects and 23% feel that studying would increase their chances of a promotion.
These results are a clear indication that there is a desire amongst South African’s working force to equip themselves for opportunities within the workplace. Many understand that with a tertiary education, comes a set skills and a broad base of knowledge that they’ll use for the rest of their lives.
That which differentiates ordinary from extraordinary managers and leaders is their emotional and spiritual intelligence. Coupled with quality education, these individuals increase their ability to think critically and engage staff to make wise decisions; traits that any aspiring manager, executive or leader should have.