Until Media Cares About Its Security, Hackers Will Still Steal Passwords

In security and war, you’re only as strong as your weakest link. And in the media industry, we’ve got quite a few weak links.

It should be entirely self-evident by now; over the past year, we’ve seen hacks on some of the biggest media outlets in the world, from the New York Times to the Guardian. And apparently, it’s all our fault.

“In media, security is not a priority,” Tom Cochran, chief technology officer for Atlantic Media, said during a session at the South By Southwest conference in Austin, Texas, this week. It’s something of an afterthought, with employees using duplicate passwords across their various accounts. Or, worse, we’ll use stupidly easy passwords to guess, like “12345” or “password.” (Yes, people actually still do this.)

In a test of his organization’s bad security habits, Cochran sent out an email containing a link that asked employees for their passwords, a popular hacker “phishing” technique. A staggering 30 percent of the people in the company clicked on the link inside the email.

That’s the point at which the Syrian Electronic Army usually comes in and makes its mark. For the past year, the anonymous hacker collective has made a habit of phishing for passwords from media organizations, then breaking into the official Twitter or Facebook accounts and spreading pro-Bashar al-Assad messages while decrying protest groups (as well as U.S. President Barack Obama).

One hack on the Associated Press briefly sent the Dow Jones Industrial Average plummeting about 130 points, after a false tweet claimed Obama had been injured in an attack on the White House.

The takeaway for Cochran here is important: Hackers like the SEA will always be out there, ready to mess with consumers for fun (or “the lulz,” as it were). It’s up to users to keep themselves safe by practicing good password hygiene (by using multiple passwords across accounts) and never clicking on suspect links and giving up their information willy-nilly.

It’s also, in part, up to the organization to update its security practices company-wide. Per Cochran, the Atlantic Media company now mandates two-factor authentication — an extra layer of security — across all of its services.

And after Forbes Magazine was hacked just a few weeks ago, staff writer Parmy Olson said the keys to the various social media accounts for the company were taken away from some of the people who had them across the brand (when I worked for Forbes years ago, even I had the keys to the Twitter account). Forbes, too, implemented two-factor authentication.

Good advice, and in this day in age, I’d call it table stakes. But good luck getting thousands of employees in large media orgs — some of whom are more tech-savvy than others — to get with the program, especially when it’s far more convenient to use one simple, easily memorized password.

In other words, don’t expect the lulz to end any time soon.

This article originally appeared on Recode.net.