Under Armour’s “Armor Gets Penetrated”
Have you read the news? According to Reuters, Under Armour Inc., headquartered in Baltimore, Maryland, recently suffered a breach of the private information for their 150 million MyFitnessPal app users.
This is the largest breach this year according to experts. It included account usernames, email addresses, and passwords. Lucky for them, Social Security numbers, driver license numbers, and payment card data weren’t stolen like they usually are in data breaches of this kind.
Once again we learn that keeping up to date on cybersecurity, changing passwords often, and using an IT support provider to implement a layered approach to security is essential if you want your business to stay safe in today’s digital world.
Perhaps, if Under Armour had used these services, they could have prevented this breach. Now, their reputation has been ruined.
Would you trust your private data to them?
With so many data breaches today, they should have known better and considered the privacy of their customers. How can they salvage their creditability now?
As a business technology professional, I know that data protection costs much less than what I’d face from a breach – legal liability, fines, and lost customers.
With the rising number of cyber thefts, numerous lawsuits have been filed against businesses like Under Armour. In the last few years, data breaches have become so prevalent that it’s almost commonplace to hear that a company has been breached.
Learning that all their personal information is in the hands of thieves causes a significant change in the behavior of customers. One studyfound that consumers who learned of a data breach at their favorite retail store significantly cut back on their purchases.
With over 1,500 data breaches in 2017, consumers responded in this way:
- 84 percent said they might not consider doing business with a retailer who had experienced a data breach.
- 57 percent of holiday shoppers felt that identity theft and data breaches would be a significant threat during the holiday season.
- Four in 10 consumers said they believed businesses aren’t doing the best they can to protect them.
- 38 percent said they weren’t sure all companies were doing everything possible to stop data breaches.
I know that my business has the best cybersecurity and IT management that money can buy. I take full responsibility for this and all my customers’ private data.
After what I’ve learned, this is what I would tell the CEO of Under Armour, and others to do from now on:
Protecting your security isn’t only a job for your IT support provider but one for you as a CEO as well. You must understand that any interruption in your information systems can hinder your operations, negatively impact your reputation, and compromise your customers’ private data.
Many CEOs don’t fully understand this. They spend their energy developing new products and services and managing current ones. Security comes in second. Maybe they’re unaware of the risks or feel that it’s solely an IT concern. Some may not be very technical and fear to discuss what could be an intimidating topic, but this isn’t wise.
The Department of Homeland Security recommends five questions that CEOs should ask themselves to lower the risk of cyber attacks:
1) What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?
2) How is our executive leadership informed about the current level and business impact of cyber risks to our company?
3) How does our cybersecurity program apply industry standards and best practices?
4) How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?
5) How comprehensive is our cyber-incident response plan? How often is the plan tested?
We also need to train our employees on cybersecurity practices like recognizing phishing attacks and using secure passwords. The folks at OneSource handle this for us. Here are some of the topics they cover:
Lesson 1: Ignore Ransomware-Threat Popups and Don’t Fall for Phishing Attacks.
These threats look like they’re from an official entity like the IRS or FBI. If a screen pops up that says you’ll be fined if you don’t follow their instructions, beware! If you do, the criminal will encrypt all your data and prevent you and your employees from accessing it.
Watch out for messages that:
- Try to solicit your curiosity or trust.
- Contain a link that you must “check out now”.
- Contain a downloadable file like a photo, music, document or pdf file.
Don’t believe messages that contain an urgent call to action:
- With an immediate need to address a problem that requires you to verify information.
- Urgently asks for your help.
- Asks you to donate to a charitable cause.
- Indicates you are a “Winner” in a lottery or other contest, or that you’ve inherited money from a deceased relative.
Be on the lookout for messages that:
- Respond to a question you never asked.
- Create distrust.
- Try to start a conflict.
Watch for flags like:
Lesson 2: Always Use Secure Passwords.
- Never use words found in the dictionary or your family names.
- Never reuse passwords across your various accounts.
- Never write down your passwords.
- Consider using a Password Manager (e.g., LastPass or 1Password)
- Use password complexity (e.g., P@ssword1).
- Create a unique password for work.
- Change passwords at least quarterly.
- Use passwords with 9+ characters.
- A criminal can crack a 5-character password in 16 minutes.
- It takes 5 hours to crack a 6-character password.
- 3 days for a 7-character one
- 4 months for 8 characters
- 26 years for 9 characters
- centuries for 10+ characters
- Turn on Two-Factor Authentication if it’s available.
Lesson 3: Keep Your Passwords Secure
- Don’t email them.
- Don’t include a password in a non-encrypted stored document.
- Don’t tell anyone your password.
- Don’t speak your password over the phone.
- Don’t hint at the format of your password.
- Don’t use “Remember Password” feature of application programs such as Internet Explorer, Portfolio Center or others.
- Don’t use your corporate or network password on an account over the Internet that doesn’t have a secure login where the web browser address starts with http:// instead of https:// If the web address begins with https:// your computer is talking to the website in a secure code that no one can eavesdrop on. There should be a small lock next to the address. If not, don’t type in your password.
Lesson 4: Backup Your Data Onsite/Remotely and Securely
- Maintain at least three copies of everything.
- Store all data on at least two types of media (one offsite in a secure enterprise cloud solution).
- Keep a copy of your data in an alternate location.
If you haven’t backed up your data, and you’re attacked, it’s gone forever.
Lesson 5: Secure Open Wi-Fi with a VPN.
- Don’t go to sites that require your personal information like your username or password.
- Use VPN whenever possible. Limit your access to using sites with: https://
- Don’t connect if all the Wi-Fi networks you have ever accessed appear as “Available”.
We have our tech support professionals train our employees a few times a year because the threats keep changing. Plus, we have them conduct Vulnerability Assessments to make sure our cybersecurity “armor” stays strong and intact.
Don’t risk your data. Keep your data secure and your employees educated. I recommend that if you’re in an area they serve, that you should contact us immediately.