Expert questions why people continue to put password security at risk

Expert questions why people continue to put password security at risk

LogMeIn’s CIO, Ian Pitt, challenges people’s approaches when it comes to personal security.

Cyberattacks are increasing at an alarming rate with well-known organisations such as Equifax, British Airways and Under Armour demonstrating that no organisation is immune. The Breach Level Index estimates that more than 5 million records are breached daily. Passwords are continuing to play a major role in breaches: 81% of data breaches involved weak, reused or stolen credentials in 2017 – up from 63% in 2016. With all this in mind, we could be forgiven for assuming that increased awareness of the growing threat landscape would positively impact password behaviour and encourage businesses to tighten security practices. However, recent research into the psychology of passwords within enterprises found that individuals display some pretty contradictory behaviour around password creation and management.

So when it comes to enterprise security, how can CIOs ensure that security conscious thinking actually translates into action?

Invest in technology

Employees are more likely to do what’s most convenient than something that’s more secure. Usually, what’s more secure disrupts workflow so there’s immense value in implementing technology that makes their lives easier, while keeping the company secure.

There are a number of different tools on the market that aim to improve enterprise security, so it’s important to have a clear understanding of what each solution does and pick the tools that are right for your company and employee base. For example, if you’re a start-up of five in the food and drink industry, you’re unlikely to need the same levels of security as larger corporations that handle sensitive information, like hospitals or banks.

However, there are certain pieces of technology that companies of all size, across all industries, should consider adopting. These include anti-virus software, endpoint management software and an enterprise password management solution. Roles and permissions should also be turned on, so that employees only have access to information they need to carry out their job. After all, it’s hardly secure if the intern can access the financial details of staff members.

By investing in the right technology not only do companies reduce their chances of being attacked, but productivity is improved, money is saved and the chances of insider attacks are reduced.

Implement a security policy

However, a business that relies exclusively on technology to mitigate threats will be doomed to failure as the best technological defences can easily be unwound by a social engineering attack. For example, the recent GDPR events provide a wealth of opportunities to harvest personal identities by a cybecrime gang presenting themselves as the upholders of the law and offering ‘let us protect your privacy, just send us your information’ to individuals. So, it’s important that a core feature of any security policy is training employees to be both the first and last lines of defence.

Password management should be one of the top priorities in any policy, given that a recent study found that 59% of people surveyed continue to use the same password across accounts, even though 91% know it’s a security risk. This should include education on safe password practices, including how to create a strong password and the importance of using unique passwords across accounts both at work and at home.

At minimum, a password should be 16 characters long and unique with a mix of character types, moving towards complex phrases rather than simple letter substitutions. Creating a long and complex password will ensure that a brute-force attack is unrealistic and if the password is unique it ensures all your other accounts are protected if said password is leaked in a breach.

The policy should also ensure that multi-factor authentication is introduced across all work accounts. This could be anything from a one-time code, biometrics such as fingerprint and iris, or behavioural analytics. By adding another layer of protection, even if a password or email does get stolen in a breach, the attacker will still need another piece of information before they gain access to sensitive information.

There’s no magic eight ball to predict what’s going to come next in the world of cybersecurity and there’s no guarantee that something that protected a business one year ago will keep it safe today. But if the alarming rise of cyberattacks has not yet resulted in meaningful security behaviour shifts, businesses need to take the burden of responsibility off their employees and work to make security both easy and convenient. Adopting a policy that shows an awareness and understanding of human behaviour, as well as incorporating technology that fits the unique needs of the business is key. Through this and regular education, companies will be able to put up the best defences against both internal and external attacks.

Browse our latest issue

Intelligent CIO Europe

View Magazine Archive