ColonelBlimp

Hello,

When companies or organisations are victims of a cyber-attack, they often claim that it will take a significant amount to time (i.e., months) to investigate and assess the impact of the incident, what parts of their systems were accessed, the type and amount of data stolen by the attackers, etc.

As someone with no expertise in cybersecurity I have no idea if that argument makes sense or not. I suppose that larger companies with more complex IT structures will need more time to complete an assessment compared to smaller ones. But, a technical investigation spanning months?

Part of the relevance of this question is because, often, the potential victims of a cyber-attack are not just the company or organisation that was breached but their employees, suppliers, customers, etc. The limited or lack of information while the investigation is being conducted might leave them "out in the cold" for quite a long time.

So, I wanted to ask you. Thanks.

I might be overthinking this but it seems to me that using your email account both as a tool to communicate and as your personal identifier to log in to critical online services like bank accounts or password managers is problematic.

Is using 2FA in both my email account (although, if I'm not mistaken, 2FA doesn't work for POP3/IMAP accounts) and in, let's say, my bank account a reasonably secure option that address the apparent contradiction of using a public identifier (i.e. email account) for something that should be kept private (part of the information required to access your money, tax information, etc.)?

Do you have email addresses/aliases that you use exclusively as usernames for critical/important online services and not for communicating? Are there "best practices" when it comes to separating the use of email as a communication tool and as personal identifier/username? How do you manage this?

Or, as I said at the beggining, am I overthinking this?