Basic Data Security, Passwords, and Entropy

An interesting chart is working its way around the internet showing that the number of serious data breaches in the US has soared from around 400 in 2007 to over 1,300 in 2017. The chart itself isn’t what’s interesting, because (a) the number of breaches is always rising and (b) a good half, or more, of breaches are unreported anyway. No, what’s interesting is that this chart should be newsworthy at all – to me, it is definitely a “dog bites man” kind of story. It makes perfect sense there are more breaches now than ever because there are more users, more devices, and more cybercriminals than ever. In ten years, there’ll be even more of all three.

If nothing else, the chart makes clear that everyone needs at least a basic level of understanding when it comes to data security. To put it another way, if you don’t have at least a basic level of cybersecurity awareness, you’re inviting a breach, and inviting a lawsuit.

There are plenty of guidelines to follow that can help you check off the easy parts of a data security plan – GDPR compliance comes later, because you have to walk before you can run. For now, the two immediate steps to consider are better passwords and access limitation.


No one wants to come up with another 12 character password, and no one wants to do IT’s obligatory 90-day password change, but the reality is that passwords still make a difference. Most data breaches involve, and often begin, with a weak password that a hacker was able to exploit.

Good passwords cannot prevent all breaches, but what they do is provide an important barrier to entry. If it takes days, or hours, to break the password in a brute force attack, the hacker will often decide to move on to another target. And even if they persist, the time it has taken to gain access to your systems may have been enough to trigger a red flag from your IT security programs.

There are a number of ways to improve passwords, including a cottage industry of “how strong is my password” websites. Rather than dive into them here, you should remember that the important word is entropy – the more entropy, the harder the password is to crack. We’re going to do an entire article and an entire podcast on passwords, but for now, remember that if strong password policies are an annoyance, they’re a necessary one. Put another way, if your password is 1-2-3-4-5, you’ve got some work to do.

Access Limitation

I remember working with a client on a non-data security issue once, and I asked to be sent some extremely sensitive materials relating to the company’s intellectual property. The documents were tied to a proprietary algorithm, and so they were effectively the client’s crown jewels. When the materials came to me, the email wasn’t encrypted (which wasn’t a great idea), but more troubling was that they had been sent by an account I did not recognize. Apparently, my client contact had asked an intern, who had been walking by his office, to get the materials and send to me. When the intern said he couldn’t access the files, my client contact provided his own login and password to the intern, who then sent to me.

So, uh . . . that’s pretty bad. If you’re not a lawyer, the paragraph above looks a lot like a law school exam, where you get a storyline and you have to identify all the problems, and where anything that can go wrong, does. The unencrypted email wasn’t great, but the bigger problem was that someone who had not been vetted was given access to sensitive materials without any consideration for security. It is essential to control who can access data, in what way, and for which purpose. Access limitation is an essential component of data security.

The scenario I set out is all too common. We trade convenience for security, and allow unfettered access to crucial materials because it might save a little time. For my client contact, the situation was even worse, because his CTO had implemented access controls to prevent unauthorized access to sensitive data. Not only did that mean he had to go through a full-day cybersecurity training (the corporate equivalent of a Breakfast Club style detention), it meant that, had the intern stolen the data, he very well may have been personally liable for any damages.

Strong passwords and access limitation aren’t a guarantee of a hack-free existence. But they’re at least a step in the right direction. Take ten minutes to think carefully about whether you’re comfortable with your password policy and who can access your materials. If you’re still comfortable after reflecting on it, call your IT chief and your lawyer, who are never comfortable about anything. Once you’ve heard from them, develop a plan to implement safeguards that will keep your company from being another data security statistic.

Leave a Reply