Why Changing Your Password Isn’t Enough

Today another web security breach occurred as hackers announced they have compromised 50,000 accounts from ITWallStreet.com, a website for IT professionals looking for jobs or working with Wall Street firms. Those covering the story will fixate on how this breach occurred, what techniques the hacker used and what the end user should do to protect themselves. While that is all valuable, the bigger question is: Who should be held responsible for protecting our online information?

The problem is simple. Organizations have rushed to put websites up in order to improve the customer experience and create valuable online brands and businesses. With this convenience, consumers have willingly given up valuable personal information with the implicit understanding that the organization is going to keep that information private and secure. Unfortunately, online businesses often focus on building features and capabilities and typically leave data security as an afterthought.

As a result, the majority of websites have very little in the way of protection from hackers. Exacerbating the problem, there are few legal requirements for protecting a website –  unless there is a credit card involved – which leaves companies with no strict obligation to protect your data.  

As a result, hearing about breaches in the press is becoming the weekly norm.

So what happens when websites like LinkedIn and Yahoo are breached and our personal information is exposed?

It’s simple…We are told to change our password. But this new web security mantra requires consumers to fix the problem for the organization. This is a broken model.

Consider this…. businesses in your town are burglarized. As a precaution, because you are a customer of that business, in order to protect your information, the business TELLS YOU to change the locks on your home. In reality, there must be numerous measures taken to ensure a more secure business environment. From improved locks and alarm systems to additional streetlights, increased security patrols and the establishment of a neighborhood watch.

So what is being done to clean up the web neighborhood and make stealing from an online business more difficult?

Changing our password cannot be the only hope for protection.

Today's breach from ITWallStreet is even more interesting and embarrassing. Personal information about people's lives, including confidential job searches, references and salary information is exposed. Changing a password in this case will not fix the problem at all.

We are trusting these companies to look after our most sensitive information and that requires a higher standard of security. If data is un-protected on most websites and organizations are rushing to make more data accessible on the Internet, it won't be long before hackers release lists of people with criminal records, health histories or detailed financial information.

This requires a major shift in the way the industry secures and protects these company sites and ultimately, people’s information. Or we could just keep changing our password?