Published Thursday, June 07, 2012 3:49 PM by Jason Clark

Yesterday's news that more than 6.4 million LinkedIn passwords have been breached has many IT professionals on high alert. CSOs are asking me how/if they should communicate this news to company employees and the need to immediately change passwords. The answer is a resounding yes.

Employee communication recommendation & email template

I highly recommend cyber security teams send out an employee alert explaining why LinkedIn passwords need to be changed and best practices for doing so. Sure, you may not have direct IT control over individual LinkedIn accounts, but your communication may alleviate social engineering attacks on employees and your network. In addition, providing security guidance to your employees can only help your employee education efforts. This is an opportunity to provide your security expertise and increase internal awareness about the importance of cyber security. It can go something like this: 

“Today it was reported that more than 6.4 million LinkedIn passwords have been hacked. It’s highly recommended that all [insert company name here] employees and contractors change their LinkedIn password immediately. Taking this action will help prevent cybercriminals from breaking into your account, stealing your personal information, contacting your LinkedIn contacts, and potentially damaging your online reputation.

Below are a 6 password tips:

1. Change your password regularly.
2. Make your password longer than six characters and complex. For example, use a combination of numbers, letters, upper/lower case letters, and punctuation marks.
3. Create a new password for each website, especially for banking and social media sites that contain personal information. Do not use the same password for multiple websites.
4. Avoid using obvious passwords. For example, your address, birthday, “password,” or 12345.
5. Never save your passwords in a file. If you need to store them, use a secure vault application to manage them, such as lastpass, etc.
6. Don’t use your email as your user ID unless that’s the only option.

If your password at work is similar to your LinkedIn password, please change that as well. It could potentially affect the security of our organization. For more password tips, we recommend reading this InfoSec article.

If you have any questions or concerns, please send the [insert company name here] cyber security team an email [insert email].

Thank you for your time.”

There’s also a larger data loss prevention issue that needs to be addressed in light of this possible LinkedIn breach. Stay tuned. I’ll cover how cyber security teams can tighten security on their network in my next blog post.

Have you shared the LinkedIn news with your company? Or have a question for me? Feel free to leave a comment below.