What You Can Learn From the LinkedIn Security Breach

LinkedIn suffered a major public security breach this week. Is your business also vulnerable?
Business Writers
June 08, 2012

This week LinkedIn suffered a massive and very public security breach, in part, experts say, because the company failed to use best practices for encrypting passwords. Is your business also vulnerable?

A Verizon 2012 data breach investigation report found the number of incidents involving smaller businesses is continuing to rise. Yet a separate new study found nearly nine out of 10 small businesses do not believe hacking could happen to them–and are not implementing even the simplest of security measures.

The Hartford Small Business Data Protection Survey found that the lack of precaution small businesses are taking is despite the fact that nearly two-thirds (61 percent) think a data breach violates trust and could be potentially disastrous for relationships with customers, patients and employees. More than a third (38 percent) say they have a more negative opinion of companies that have recently experienced a breach, based on the companies' handling of the breach.

"Most of the business owners surveyed believe they are not at risk, when in fact smaller businesses are increasingly being targeted," said Lynn LaGram, assistant vice president of small commercial underwriting at The Hartford. "As cyber criminals set their sights on smaller firms, it is important for business owners to take proactive measures to protect data and minimize the likelihood of a breach."

The survey asked owners of businesses with fewer than 50 employees about their adoption of eight data protection "best practices" that help reduce risk of breach. Adoption rate of most of them hovered at less than half of businesses.

Small businesses were best at restricting employee access to sensitive data, with 79 percent saying they did that.

Other simple security practices, in order of how widespread they are among small firms, include:

  • Shred and securely dispose of customer, patient or employee data (53 percent)

  • Lock and secure sensitive customer, patient or employee data  (48 percent)

  • Use password protection and data encryption (48 percent)

  • Use firewalls to control access and lock out hackers (48 percent)

  • Update systems and software on a regular basis (47 percent)

  • Have a privacy policy (44 percent)

  • Ensure that remote access to their company's network is secure (41 percent)

The LinkedIn breach, which involved the hacking of more than six million passwords, involves a number of the above. Soberingly, experts have suggested that based on analysis of the information stolen and the data posted on hacker forums, attackers could still be inside the site's network. This means that users who already changed their passwords may have to do so again.

One lesson you can take from that incident: The experts said LinkedIn used a very basic technique called hashing for scrambling the passwords. Hashing–which converts each password into a long string of characters–allows data thieves to quickly unscramble all passwords after they figure out the formula by which any single password has been encrypted.

What LinkedIn should have done (and is now doing, it says) is make it much harder for passwords to be unscrambled by doing using a technique known as “salting,” on top of the hashing. Salting adds extra arbitrary data to a password when it’s hashed, which means makes life much tougher for password crackers.

“What [LinkedIn] did is considered to be poor practice,” Mary Landesman, security researcher with Cloudmark, a company that helps secure messaging systems, told Reuters.

How does your business measure up when it comes to adopting best practices? If you have suffered a security breach, how have you handled telling customers?

Photo Credit: Thinkstock