This week, there was a lot of buzz over the news that simply by typing in a certain address into your Google Chrome browser, a user could see all their stored passwords. Here's a review of the story in Wired Magazine, "Why Everyone Is Pissed Off About Google Chrome's Sound Security," along with a look at how the security flaw could expose IT professionals and business owners to expensive liability cases.
After typing in "chrome://settings/passwords" into their browsers, users will see a list of all the sites that they have saved a password for. That's not so surprising, but what happens next is.
Each website also shows an X'ed out password, which you can't read. But click on the password and you'll be prompted whether or not to "show" the password. Simply click "show" and, voila, any password you've saved on your Chrome browser can be revealed.
Google has defended its security protocol, saying that this sort of security issue is inherent in all saved password functions in browsers. So far, the company has made no indications it would fix the security issue.
But what does this mean for IT consultants and advisors?
IT Consultants Are Responsible for Educating their Clients
News like this demonstrates how much the world of cyber security is always changing. Even trusted companies like Google will surprise their users with security flaws in their most common products. As an IT professional, you know you need to be aware of developing risks that your business and your clients may face, but it's equally important that you explain these things to your clients.
The second, and perhaps more astonishing aspect of this story, is that Google basically shrugged off these security concerns. And perhaps Google is right. To them, fixing this issue by password protecting your browser passwords (or adding another security layer) still means that a user is storing password information in their browsers (or on their computer) and is thus exposed to the same sort of risk. Google seems to be suggesting that this is just the reality of cyber security.
IT Consultants: What to Tell Your Clients
The fact that Google is leaving it up to its users to take care of their own security measures is an important reminder for IT consultants to teach their clients how to protect their networks. Here are some points to reinforce with your clients…
- Have unique passwords. As the Chrome security scare reveals, people will find ways to access your passwords. Even if a user doesn't save their bank account password in their browser, if they use the same password for another website, a hacker may be able to figure it out. Having strong, unique passwords is a good basic level of cyber security.
- Use screen locks when away from a computer. One simple layer of security a client can add to their network is to use screen locks. This is especially important for clients who may have third parties walking in and out of their office space.
- Communicate with your clients about new security developments. If you read about a security flaw in a popular application, it may be a good idea to talk about it with your clients. You certainly don't want to besiege your clients with worries and hassle, but as an IT consultant or adviser, you can be liable for not informing them of a security issue.
Even if software you installed on their computer isn't the source of the security breach, you could still be liable. Remember that judges and juries decide cyber liability in a lawsuit, and they may not understand the finer points of the IT work that you do. Communicating with your clients via email newsletter can be a smart way to keep them updated on new threats to their cyber security.