Major Password Breach: Lessons Learned Shrinking Separation Between Work, Personal IT Security
Ronald Raether
The theft of 2 million credentials reminds security professionals that their organizations are at risk because many employees use the same passwords and devices for personal and business purposes, data security lawyer Ronald Raether says.

"There is this shrinking of the separation between what I do personally and what I do for my firm," Raether says.

Hackers pilfered some 2 million user passwords and credentials for Facebook, Google, Twitter, LinkedIn and other social media and Internet sites, according to IT security provider Trustwave (see 2 Million Passwords Reportedly Stolen).

Organizations no longer should differentiate work and personal environments when developing security processes for the enterprise. "What this blurring of the line between private time and company time [means is] we have to shed those legacy cultural thought patterns that there is a distinction between personal life and professional life in terms of security rules," Raether says in an interview with Information Security Media Group.

Many organizations have done a good job making employees aware of the need to create a complex password to access sensitive corporate files, but it's common for workers to use that same password to access their social media accounts, Raether says.

"A compromise of a password in their personal account could create security concerns if that password is reused to access company devices, company sites," he says.

In the interview, Raether explains why:

  • The consumerization of the workplace requires security professionals to take a more holistic view of IT security;
  • Enterprises should conduct risk assessments that take into account the role social media plays in the personal and professional lives of employees; and
  • Management, in certain instances, should be careful in limiting employee use of social networks, such as LinkedIn.

Raether is a partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patent, antitrust, licensing and contracts, employment, trademark, domain name disputes and federal and state privacy statutes.

Around the Network