Meet Tom. Tom works at Acme Consulting, a 25 person company. As the senior “tech guy” at Acme, Tom wears a number of hats, including having responsibility for IT and security. Tom tries his best to protect his company, but he’s got his share of problems (and his colleagues don’t always help out) as we’ll see in our ongoing series Tom’s Tales….
CEO Eleanor threw a wrench in Tom’s weekend plans (and in company security) by losing her smartphone – which didn’t have password protection. Here’s how it happened, and how Tom responded.
It’s scientifically proven to be one of the top 7 worst feelings one can experience.
You glance at the clock on a Friday afternoon, and it hits you: The sickening realization that, although you only have two hours left in the day, you still have a solid nine hours of work left to do.
But Tom was not having one of those afternoons. Instead, he was casually – relaxingly, even – finishing up the last items on his task list, getting ready to enjoy his weekend.
Until she blew in. Eleanor, the CEO, was in a rising state of panic. She had lost her Android smartphone, most likely on the subway. She had tried going back to find it. She had tried calling the number. No luck.
Tom tried not to roll his eyes. Last month, Eleanor had locked herself out of that same phone, and then insisted that Tom stop the server update he was working on in order to walk over to her office and restore her access.
Which, incidentally, was the precursor to the disaster that destroyed any hope of Tom’s peaceful Friday evening. Because in order to prevent further “issues” with her phone’s locking, Eleanor told Tom she had made the brilliant decision to just…get rid of it. No passcode PIN. No fingerprint. Nothing.
But Tom’s life wasn’t simple enough for the disaster to end there: Eleanor then said she kept track of his passwords – company passwords included – in a spreadsheet that she frequently accessed on his phone. Plus, she used the phone’s notes app to store credit card numbers, including those of his company cards.
If Jack’s phone wasn’t password protected, neither were any of the company accounts. Whoever scooped up that phone would have access to all the passwords they needed in order to do everything from hacking the company’s Facebook page to transferring money out of their corporate accounts.
So much for security. Now Tom found his own pulse rising to a state of panic.
The phone had been missing for a few hours. Tom got started with damage control (so much for his leisurely evening) by having Eleanor call the company’s wireless carrier with Tom. The carrier was able to suspend wireless service for the phone and confirmed that no outbound calls were made and no data was used on the carrier’s network, but it wasn’t able to confirm whether the phone had been accessed and “jailbroken” with data now used over a local Wi-Fi network or with a different SIM card.
- Contact wireless carrier about lost/stolen phone, suspend service and ask for remote data wipe if possible
With that done, Tom asked Eleanor a series of detailed questions.
Exactly what financial account and credit card information was stored on the phone?
Since bank account passwords were in the spreadsheet, Tom called their company CFO and told her to work with the company’s bank to a) ensure the company’s accounts had not seen unusual activity, and b) immediately change passwords for account access. Then, since credit card numbers were saved in the phone’s easily accessible notes app, the card issuers needed to be alerted and the cards cancelled. It would throw a wrench in the company’s auto-payments, but Tom thought better to deal with those small problems than the bigger one of anyone who accessed the phone being able to use the cards to make purchases.
- Stop and cancel banking or credit card information.
Is the password spreadsheet and other online docs connected to an email account? If not, is the spreadsheet or doc protected by a strong password that was not exposed?
If the online spreadsheet with Eleanor’s saved passwords was tied to an email account used by the phone, the spreadsheet was highly vulnerable. In any case, the email account credentials needed to be changed immediately since email access from any device provides “keys to the kingdom” enabling password changes on many online accounts via “forgot my password” links. Another priority would be Dropbox or other file storage accounts.
- Change email passwords first to prevent changes to other account passwords, then prioritize file storage passwords like Dropbox to stop auto-syncing with online documents.
Do other applications on your phone have saved passwords?
If so, any application with sensitive data – especially those which allowed someone to make charges without authorization – needed to be changed. A hacker could tap on app icons and get access to services immediately (for example, clicking on the Amazon app and going crazy).
Eleanor couldn’t remember every app on her phone, so they logged into her Google Play account from the desktop and went through all of the applications to check.
- Change the information for all accounts with saved passwords.
Does the spreadsheet application notify you of when it was last accessed?
Some applications allow you to see the last time you accessed the account. If that was a possibility for Eleanor, they might be able to see when and where the spreadsheet had been accessed.
This would be more for peace of mind than anything else; even if it hadn’t been accessed, the password still should to be changed.
- If possible, check to see when the document(s) had last been accessed.
Update company passwords.
Even if it looked like no passwords had been accessed, without 100% confirmation, Tom needed to go through and manually change the information for every company account that had a password in Eleanor’s spreadsheet.
- Manually update all password-protected company accounts.
What departments will be affected by the password changes?
Accounts payable and receivable would need to be briefed on the changes to their banking passwords and credit card pin numbers. In fact, if any account used to make company purchases had been updated, nearly every department would need to reset payment information. No one would be able to access the web-based project tracking program they used, because the main password change required everyone to reset their personal passwords as well. The marketing department had to be notified of changes to everything from their automation software to their Facebook account.
After a few individual emails, Tom decided to send a company wide alert that every password had been changed, instructing those who would be affected to send him an email explaining who would need what, and what level of permissions they would need. If it could wait until Monday, please wait. He still hoped to at least save some of his weekend.
- Notify any team member who would need to have their passwords and permissions reset.
Tom then drafted an email for Eleanor.
Subject: Let’s make sure this doesn’t happen again
Eleanor, here are some suggestions going forward so this doesn’t have to be so painful:
- Secure your phone with a passcode PIN or fingerprint. Secure important documents wherever possible with strong passwords.
If you make it harder for someone to get into your device, you make it harder to access your sensitive information. At least it gives us more time to react. Generally, be sure to use best practices for strong passwords, ideally using passphrases.
- Enable a device recovery service.
Services provided by your wireless carrier or third party apps can help track your device should you lose it. They can also give you the ability to remotely lock or wipe the phone once you find it missing.
- Back up your data.
Ensure you’ve synced your contacts, photos, and other information so that you have copies of it should your device break or be lost.
- Keep your apps up to date.
Updates to apps can contain important security updates – don’t delay in approving them.
- Learn how to prevent it in the future.
Isn’t there a better way?
But Tom realized the whole incident brought to light a gap in their company’s approach to IT security. Not only did his company need better device management, it needed a better way of enabling employees to manage and protecting their accounts. And the company needed a better process if account changes needed to be made and communicated.
Tom doesn’t have it in him to go through a ruined weekend every time someone lost a device or otherwise put company passwords at risk. And why should he, when there are simple solutions that manage, monitor, and protect passwords across whole teams of people?
Tom knew there had to be a better way. He himself used a password manager called SplashID that enabled him to manage and secure his personal and business logins. What if, Tom thought, he could extend that capability to everyone in his company? Could he find a simple solution that enabled him to manage, monitor, and protect passwords across whole teams of people?
4 thoughts on “Tom’s Tales #1”
Hey Morgan, I like Tom’s Tales #1 as a nice way to present an all too common problem. I’m hoping that in #2 Tom will find his way to an innovative solution to his password control/update conundrum.
By the way, who is Jack? ?
Thanks, Mike! #2 is coming out soon! And good catch — Jack was a ghost from a prior draft!
I hope someone discusses a small startup where people come with different password protection products and methods. Unfortunately none of them interact thus requiring the departments to share in plain text all passwords and other information because it has to be the individual employee who updates the product (s)he is using on their device or computer.
Like Splash Data these other products have the same ability to share between devices, encrypt with high security, etc thus each employee says his/her’s is the best or at least equal. The founder wishes everyone would use the same product, but can’t afford to have the entire company stop to have people reinput hundreds, if not thosands, of entries (plus with human error).
This is a great point. We’re starting to see this crop up among our clients, especially the larger ones. As a first step toward a solution, we need to work on a way to make it simpler for users to import into our solutions. Currently you have to import as a .vid, and it usually works fine, but you sometimes need to massage the fields to make all the data import properly.