#NCSAM Tip: Don’t Wait for a Business to Tell You That Your Password Was Stolen

#NCSAM Tip: Don’t Wait for a Business to Tell You That Your Password Was Stolen

National Cybersecurity Awareness Month is a great time to do a cyber self-check and make sure you’re doing what you need to do to protect yourself online. One of the most basic precautions is to use strong, unique passwords for every device, account, and app. That prevents cybercriminals from guessing your password.

But that’s not enough, because sometimes, they don’t have to guess. If your login credentials are stolen in a data breach and put up for sale on the Dark Web, it won’t matter if your password is 20 random characters. It’s out there for anyone to grab, and you need to change it as soon as you find out about the breach.

But what happens if you don’t find out for weeks, months, perhaps even years?

Companies may take their time notifying data breach victims

In the European Union, GDPR requires that organizations notify data protection authorities and victims within 72 hours of detecting a breach. Consumers in the U.S. and other countries that lack national data breach notification legislation are at the mercy of the breached organization, and it isn’t unusual for organizations to wait inordinate amounts of time to notify data breach victims.

Late last month, restaurant delivery service DoorDash disclosed a data breach impacting nearly five million customers, delivery drivers, and merchants — which they’d known about for almost a month. Marriott Starwood waited nearly three months to notify nearly 500 million customers about its reservations system breach, and Uber took over a year to disclose that 57 million consumers had been compromised.

Companies can’t notify victims about breaches they haven’t detected

Even if an organization is diligent about promptly notifying victims after a breach, an attack may go on for some time before a company even realizes what’s happening. On average, it takes organizations a whopping 101 days to discover they’ve been breached. It’s not unusual for breach discovery to take longer, sometimes a lot longer. It took DoorDash four months to figure out their systems were under attack. If that sounds bad, consider Marriott Starwood, whose reservations system was compromised for nearly four years before detection.

One of the reasons it takes so long for companies to realize they’re under attack is because cybercriminals are launching more sophisticated attacks that can slip past firewalls and other security measures. Eighty-two percent of companies in Ponemon’s 2018 State of Cybersecurity for Small and Medium-Sized Businesses study reported having experienced cyberattacks in the past year that evaded their anti-virus software, and 72% were victimized by attacks that blew past their intrusion detection systems. Additionally, nearly three-quarters of respondents admitted that the time it takes them to respond to a cyberattack had either stayed the same or increased over the last year.

Don’t depend on businesses to tell you that your password was stolen

With data breaches becoming more frequent, and organizations slow to detect and respond to them (let alone notify victims), consumers need to take matters into their own hands by signing up for a Dark Web monitoring service such as Keeper’s BreachWatch. BreachWatch monitors the Dark Web for stolen login credentials and notifies you in real-time if one of your passwords has been compromised. BreachWatch doesn’t depend on public notifications; it monitors what’s being put up for sale on cybercriminal marketplaces, so you’ll find out right away if you need to change one of your passwords.