Passwords have been the mainstay for securing applications, devices and the data they hold, pretty much ever since IT was invented. It’s an approach that has always had weaknesses though, mostly because few of us can keep long, complex codes safely in our heads. And as a recently published survey by security vendor Centrify illustrates, the problem has not gone away.
The company’s research took an interesting approach. First, it polled senior managers in UK companies for their perceptions of young, ‘millennial’ workers. The findings make interesting reading and throw a strong light on how easy it is for myth to obscure reality. When asked who they thought was most likely to be responsible for a security breach, the top two answers were “younger employees” and “new starters”, with “disgruntled staff” coming in third. “Senior management”, “management” and “older employees” filled three of the bottom four slots along with “graduates”.
Where’s the danger – young or old?
The survey then went on to ask both millennial workers and senior managers if they had ever done anything risky on their work systems, such as clicking on suspicious links in an email, sharing passwords, or perhaps most worrying of all, removing company data.
Their answers showed that although the senior staff perceived their younger colleagues as feckless, they themselves were the more dangerous ones: they were around twice as likely as the millennials to have performed something risky!
Regardless of who is to blame, these results show that people are still a weak link in IT security – which for many organisations today means business security. And as regulatory fines for security failings could now result in direct financial penalties that are far more painful than they were in the past, there should be significant pressures and incentives to invest in toughening things up.
A major challenge to improving IT security has always been user resistance. If IT security is not almost transparent to the user, history and experience shows that some will always seek to by-pass it. Indeed, push-back from senior staff is one of the hardest things to address without undertaking extensive, and continuous, communications. Fortunately, security solutions have evolved rapidly in recent years, especially as machine learning and more extensive monitoring capabilities are being embedded into solutions.
To this end there are a few basic steps that should be implemented:
- make multi-factor authentication a standard for every user
- apply encryption-at-rest to all sensitive data – indeed, it should probably become the norm for all data, where practical
- look at implementing IT behavioural anomaly analysis
- train all staff regularly on why security matters, not just on what to do or not do
Please do not ignore the last point, as many budget-holders are tempted to do. It is probably the most effective and inexpensive measure you can take.