What Do Passwords Cost Your Business? writes Dana Epp, pictured, principal architect, security, identity and access management, at Kaseya, an IT systems management and network management software firm.
Today’s cyber security landscape is becoming increasingly treacherous. Attackers are highly sophisticated, well-organised and relentlessly probe weaknesses in network and application security in order to gain access. One of the foremost ways of attempting to ensure data security is through the use of passwords – but even this method is no longer effective. Passwords can be shared, stolen or easily guessed, and can be difficult to manage, therefore making them a weak form of identity management.
Many businesses may be drawn towards passwords as they, in theory, offer a ‘cost-free’ means of protecting data. After all, a company is not in business to be secure; it is in business to be profitable. However, when considering any security technology to help mitigate risks in a business, it’s important to look beyond the acquisition costs of the safeguards and consider the ongoing expenses associated with deploying and managing the system.
One of the biggest advantages of traditional passwords is that they are typically provided ‘free’ within operating systems and business applications. They don‘t require any extra hardware or software to be used by the end user, and therefore appear to be more cost effective than stronger authentication systems. However, the acquisition price is only part of the story, and in order to determine the real cost of ownership, expenditure in relation to deployment and management must also be considered.
The deployment of passwords involves the creation of user accounts across different systems. Depending on the sensitivity of the information on the system or application being used, this may be as simple as adding a user, or as complex as requiring a full policy management process to be followed. For example, although it may be quick enough to add a user to an Active Directory system, that same user may also need to be added to the CRM system and have rights assigned to the company intranet.
However, the most considerable expense is the ongoing cost to administer and manage the systems. There are two expense categories that need to be considered during this process – first, the lost productivity that occurs if a user is unable to perform their job due to an authentication problem, and second, the resources consumed when resolving the problem and implementing the solution.
Basic business principles dictate that, to be a good investment, employees must return value in excess of their cost. Downtime due to password problems can result in lost wages, as well as lost productivity – which can double the expense. When the IT team is external to the organisation, the costs can be even higher, particularly if services are needed after hours.
Over a year, a user has many opportunities to forget their password – from holidays, to sick leave – they may forget their credentials, or credentials may expire. If these situations are compounded by strict password policies that force frequent changes, forgotten passwords become almost inevitable – having a huge impact on productivity and therefore costs.
Strong authentication systems may require a larger outlay upfront than traditional passwords, but also significantly reduce the threat caused by weak password security. Each time a user logs onto a system or application that uses strong authentication, they can use their authentication token, in combination with their PIN, to generate the passcode as it’s needed.
In areas where passwords cannot be completely replaced with strong authentication passcodes, the management costs can still be reduced by allowing password complexity policies to be relaxed for the traditional password, and augmented with passcodes available in the strong authentication system. Businesses can therefore leverage their existing infrastructure while still adding stronger authentication where appropriate – ultimately reducing management costs and increasing the effectiveness of technical safeguards used. Clearly, password security isn’t truly ‘free’ and strong authentication may actually provide better value for money in the long run.
