So, how can businesses ensure that their employees use the best password security to guard their data safely?
The Friend Finder Network hack, the largest data breach of 2016 that exposed more than 400 million user accounts, has, once again, highlighted the issue of passwords.
Passwords continue to be the bane of our digital lives. We tend to use simple, memorable passwords that any ‘wannabe hacker’ can break. If you then try harder and go for a more complex solution it often gets forgotten or, worse still, written down. So, how can businesses ensure that their employees use the best password security to guard their data safely?
Firstly, companies need to take more responsibility in helping their employees manage the myriad of passwords used in the workplace that need to be remembered. Those that are used have to be good and robust passwords that are regularly changed in order to maintain good governance.
It will take a good hacker no more than ten minutes to break into your system if your only security is a six character lowercase password. If you opted for an eight character password with upper and lowercase letters, numbers and symbols then the time frame for a hacker to break in would be more like four hundred years. Ensuring that your passwords are as complex and cryptic as possible is one measure that can be put in place to go some way to securing your information.
A robust password is one that uses upper and lower cases, special characters, non-sequential elements and is not a word in itself. It should be changed at least every thirty days. And, ‘therein lies the rub’, this puts a huge burden on employees as, left to their own devices, it is unlikely that anyone would be able to even ‘dream-up’ such a password.
The process results in the writing down of passwords in order to remember them with the worse case scenario being a ‘post it’ note stuck on the side of the monitor.
There are smarter forms of user authentication and these include tokens, certificates or authentication software such as biometrics. This technology simplifies the log-on process for users and defeats hackers or monitoring software, as the log-on is unique each time the user accesses a system. Such technology is regularly used for on-line banking services and easily adapts to new technologies such as cloud or managed services.
The options available for authentication are numerous. They range from physical tokens that generate one time only passwords through to tokens available on mobile phones, USB tokens that securely store a certificate to finger print readers and, more scarily, retina scanning.
However, some of these techniques can engender user resistance, such as retina scanning, and some can be temperamental, such as finger print readers. This leads to user complaints and more work for the technical support department.
Tokens on the other hand are more reliable and easily understood by the user. Often the only issues being the cost of the token and the management of lost or broken tokens but this can be reduced by using soft tokens which can be used on multiple devices and reinstalled should the device change or be lost.
There is an authentication mechanism for all organisations, large or small, that is able to fit within budget, meet business requirements and match the user role. It is simply a case of taking responsibility and improving the level of security by ensuring better control.
Colin Tankard is managing director at data security company Digital Pathways, a specialist in the design, implementation and management of systems that ensure the security of all data whether at rest within the network, mobile device, in-storage or data in-transit across public or private networks.
If you enjoyed this, you might like to view the following:
Opportunities and threats, by Colin Tankard
The boss of one of the UK’s leading data security firms welcomes faster connectivity but warns that it can also mean the ‘surface area’ for attacks is greater
Blackmail for a digital age, by Colin Tankard
Consider creating a honeypot - a server or network that is used solely for attracting, and then trapping, would-be hackers or rogue code