- Security TWENTY
- Women in Security
Passwords tend to get an awful lot of bad press. We can barely go a week without seeing yet another breach of security with compromised login details, and so often the source is a simple case of bad password behaviour, writes IS Decisions, a network security product company that makes the Userlock product.
Last year saw more than 300,000 internal security breaches in the UK alone, according to IS Decisions’s Insider Threat Manifesto, showing that the many breaches we hear about in the media are merely the tip of the iceberg. So it’s easy to see why organisations and users are losing faith. Passwords have been around for more than fifty years — and even the inventor has admitted that they’re becoming a nightmare. Today, each individual user needs to remember a plethora of random letters, uppercase and lowercase, numbers; and special characters to prove an identity.
The experts tell us not to pick obvious ones, don’t pick short ones, and for heaven’s sake do not use your own name. The best passwords aren’t words at all, but almost a cryptographic message that even Alan Turing would struggle to crack. The more people find it harder to guess, the better. And there lies the problem with passwords — people. Today’s passwords need to be so complex that people find dangerous ways to remember them, like writing them down, emailing them to themselves and others, and using the same one for multiple sites.
In fact, according to the report, nearly a fifth of employees have shared their password with a colleague — which is a data breach in itself. Users are clearly unaware of the potentially dangerous consequences of giving access information to others, even if they are trustworthy colleagues. An equally worrying statistic in the report is that more than a third of IT decisions makers believe that none of their employees have shared their passwords. A mixture of employees sharing passwords and IT professionals who are oblivious equals serious potential damage.
The problem is here to stay
John Giordiano, IT manager at The Scenic Route, states in IS Decisions’s Insider Threat Peer Report that there’s a difference in attitudes towards general internal security according to age. He said: “…older users tend to disregard security measures because they don’t fully understand and younger people tend to disregard them because it slows them down.” One conclusion you can draw from that is that internal security threats are not going to go away even as we begin to see more tech-savvy employees in business.
The biometric challenge
While the news and stats look grim, it doesn’t mean passwords have had their day. Biometrics is one system that the IT world regularly discusses as another option. And it may sound like a great alternative, since it relies on what you are rather than what you can remember, and you can’t forget a fingerprint. But it’s a costly and disruptive digital solution to what is essentially a social problem. No single security measure is 100% effective — and biometrics is by no means fool proof. It is possible to spoof fingerprint and eyeball scanners. So once a malicious intruder gets their hands on biometric data, how can companies protect against attacks? Users will almost certainly be more unwilling to change their fingers and eyeballs than their passwords.
Until biometrics has been proven as an effective security measure in an enterprise environment, large organisations will be reluctant to adopt it. Unproven security measures tend to grow very slowly until vendors iron out problems and prove that their solutions work with a selection of viable case studies. No security-conscious company wants to be a guinea pig when it comes to security.
What can companies do?
One argument to strengthen verification is to use a combination of factors, making it harder for unauthorised personnel to gain entry. But that does not mean that breaches won’t happen at all. Two-factor schemes are only as secure as their weakest component. Using a combination of a weak password and a vulnerable second layer of defence can actually be weaker than using one strong factor of authentication. A simpler and more cost-effective solution is a change in attitude towards passwords. Better user behaviour has immediate benefits for all authentication methods involving user credentials and can mean we don’t need to jump to invest vast amounts of money in unproven alternatives. That’s where training and user education comes in.
While security policy comes from the IT department, its lessons will need to be learned by the whole company. The IT department needs to speak to employees in their own language about the risks of bad password practice and — more importantly — ensure that users actually put into practice what they learn.
How does the IT department ensure that users follow the rules? Companies still need a way to ensure that they can detect malpractice and respond quickly before a breach becomes a real problem. This is where technology can help. With real-time monitoring, risk indicators, policy rules and a complete view of network activity, it’s possible to:
• Detect suspicious access, and alert users and administrators automatically to anomalies
• Manage and secure mobile users, whether they’re on laptops, tablets or smartphones
• Restrict and monitor access to sensitive files so employees can only access the files and systems they need
• Restrict concurrent logins, eliminating the possible windows in which unauthorised users can access sensitive information
• Ensure that admins don’t abuse their access privileges and adhere to regulation
There’s no ‘one way’ to protect company systems and data. But with each layer of protection that training and technology gives, companies make it harder for breaches to occur and are quicker to respond to those that do. A technology solution like UserLock is one such layer of security that gives companies a way to strengthen the use of the password and manage employees’ access to the network. The good news is that this technology is here today, it’s cost effective, and it does the job.