Online security must become the responsibility of all your employees or you can expect your brand to get hacked this year.

tl;dr – head to 2fa.directory and start turning on 2-Factor Authentication (2FA) for ALL your accounts – now!

A version of this post originally appeared on The Drum where Andrew is a regular columnist.

If you’re reading this and use Gmail or any number of cloud-based services and don’t know about or have “2 factor authentication” turned on, then in 2019 you’re going to get hacked.

I’m not trying to be alarmist, I’m stating the inevitable, and when you get hacked, all your own and your client’s secrets will go online for all to see. Don’t be that person in 2019.

Previously we thought that online security was the responsibility of our IT department.

As the recent hack of the Democratic National Committee’s servers, and the release by WikiLeaks of hundreds of DNC Chairman’s John Podesta’s emails has shown, your online security can be compromised by one click on bad link in an email.

That one click pretty much undid Hillary Clinton’s Presidential career, and we know now what happened next.

UPDATE: There is a great website listing all the sites that support 2-factor authentication. Use it to check how to enable 2FA for EVERY site you use.

 

Why online security has now become the responsibility of employees, not just the CIO

As part of my 2016 Christmas holiday reading, I learned much about how Hillary Clinton’s Presidential hopes came undone by a simple typo and a single mouse click.

In an excellent long-form piece from the New York Times titled “The Perfect Weapon: How Russian Cyberpower Invaded the U.S” there is an incredibly detailed analysis of what went on.

It is worth a read, not just for the implications it had on the US Presidential Elections in 2016, but also what it means for you personally and your company.

If the Democratic National Committee can be hacked, then so can you.

What is more worrying is that Mr Podesta wrote a report for President Obama in 2014, so you think he would be acutely aware of the risks.

So what actually happened and how can you learn from this?

According to the NY Times investigation, Charles Delavan, a Clinton campaign aide, incorrectly legitimized a phishing email sent to the personal account of John D. Podesta, the campaign chairman – a screenshot from the New York Times article is shown below.


Note Delavan uses the word “legitimate” when he actually meant this is not a legitimate email.

Delavan also insisted that he turn on “two-factor authentication” – more on that in a moment including a plea from me (and your IT department) to do the same, even with your personal accounts.

In an additional review on the Financial Times website, we see that the phishing attempt was successful because it looked like a legitimate email, even coming from what looked like accounts@googlemail.com.


It managed to trick a good many people, and the result is thousands of private and confidential emails are now in the public domain.

How Gmail is the key to the kingdom for hackers.

As was shown convincingly in this blog post from Cloudflare CEO Matthew Prince in 2012, a sophisticated hacker was able to get into Matthew’s google apps account using a combination of a social-engineering hack of an AT&T account and the fact he was using a private Gmail account as an alternate email address.

From what I read from the NYT investigation, the Podesta hack was much simpler.

As is common in cybersecurity cases, a “phishing” email was sent to Mr Podesta that looked very similar to a real email from Google, suggesting that “someone has your password” and offering a link to click to change your password.

As we know now, the link he clicked went to a website that looked identical to the Gmail change password page, and in an instant, the hackers had full control of his Gmail account with a shiny new password.

The irony here also if you look at the fake email, it even contains a recommendation to add 2-factor authentication.

Had Podesta done this straight away, then it is more likely that none of the incriminating emails would have come to light and WikiLeaks would not have had anything to share.

The reason you need to turn on 2-factor for your entire Google account is that now Google groups your accounts together, once a hacker is in one door, they have the run of the house.

Think about that spreadsheet you have on google docs with your passwords, the word document that has all your personal financial information, and the PowerPoint you forwarded from your work email with the list of all your clients.

What does this mean for you and your business?

If you’ve read this far, perhaps I scared you at the beginning by saying you were going to get hacked.  As someone who works in the creative, digital or online industries, I am sure you have many logins to multiple sites and services.

If you are reading this and don’t know what 2-factor is, then stop what you are doing and set aside an hour NOW to learn more and enable the service on all accounts that offer it. To get you started, head to the Google 2-step authentication page where they explain everything clearly and the steps to go through.

Each time you log onto a google site from a new computer, you will be prompted to prove it is you on your mobile. While that may add a few extra seconds to your day, imagine the hours you would have to spend if you got hacked. Each time the “Trying to sign in” message pops up, I think of it as my digital insurance at work. 

What the Podesta email hack has shown is that something as simple as believing an email in the day-to-day rush of doing business and clicking on a password reset link had massive ramifications.

I firmly believe that online account security is now the responsibility of the employee, not just the organisation you work for.  When I gave a talk recently to a digital group at a large well-known company, I asked the 300 assembled how many had 2-factor turned on for their personal accounts.

I counted only a few dozen hands go up in a room of 300. I gave them the same message I am giving here, that the responsibility for online security now needs to be a joint effort between the employee or freelancer and the organisation they work for.

As our private and work lives intersect, who can’t say they’ve emailed a document to their personal address because it was easier to look over it at home or in another office.  We gravitate towards the systems that are easiest to use, and in the process bypass many of the security features that have been built into today’s workflows.

How can I possibly remember all of my passwords?

As we sign up for more and more services, it is more likely that we reuse a few favourite passwords to make the process much easier.  I’ve even seen “internet password logbooks” for sale like this one.


When I first saw this I thought it was a joke. Stationery companies such as WH Smith and Rymans in the UK as well as Amazon have a whole range of them! The front covers of most scream “ALL MY PASSWORDS ARE HERE”!

Please do not buy one of these, and if you have one, please convert this into a secure password manager, with applications such as LastPass (free) Dashlane or 1Password. Read the reasons why I’ve just switched from LastPass to 1Password here – mainly because of their deep integration with the haveibeenpwnd website.

I use 1Password to secure over 1,000 sites I use or have used previously. I now have a different password for every site so there is no way I could remember them all.

This is where 1Passeword comes in, and all I need to do is remember one master password and then use 2-factor authentication on my mobile so I can auto-fill sites via a browser plugin.

If you don’t want to be the one who has you or your client’s secrets published for all to see, then take my advice, set aside an hour and turn on 2-factor on all your online services and social networking sites that support it, then invest in a password manager as a new year’s resolution.