Data Security: Employees and Passwords don’t mix so what’s the solution?
By Norman Begg, Marketing Manager, of Cyber Security Firm My1Login
Your business wouldn’t be there without your workforce, which is why bosses commonly list their employees as a key strength. However, employees also present the greatest data security risk to a business.
The recent HM Government Information Security Breaches Survey confirms this, with 81% of large organisations stating that there was an element of staff involvement in the data security breaches they suffered.
The main reason for this statistic is simple; when it comes to data security employees and passwords simply don’t mix. Weak password practices by end-users is the number one cause of data breaches. A staggering 65% of corporate data breaches are caused by employees’ weak password practices, with 2 out of every 3 security data breaches being credential-based. A study of 6.5 million passwords by Mark Burnett actually found that 99.8% of them were the same 10,000 passwords. It simply underlines that humans are pre-disposed to creating weak passwords, and that we’re all very similar in our choices.
Employees are typically guilty of a plethora of weak practices such as using the same password for multiple applications, choosing weak, easy-to-remember passwords, writing passwords down or storing them in spreadsheets, on their mobile, in Dropbox, or sharing them insecurely via email or text. Commonly, employees will also use personal passwords for business applications. When these consumer services, Yahoo being a good example, are hacked there’s a domino effect resulting in breaches to business applications protected by those same passwords.
Data breaches make the headlines when they affect big brands, but 90% of all large organisations, and 74% of smaller organisations, now admit to having been hacked according to the most-recent HM Government Information Security Breaches Survey. While the average cost of a data breach is not pocket change at £2.3m, the biggest damage is reputational – for both the company and the C-Level execs who take the blame and lose their jobs.
The mainstream media have an endless stream of data breaches to devote column inches to, Yahoo being the largest of the most recent breaches, with data from an estimated 500 million users stolen. Other recent high profile data breaches include those at Three, Tesco Bank, Snapchat, LinkedIn, Oracle, Sage, Dropbox and more. No company, big or small, is exempt and the reputational fallout can often be more damaging than the financial cost. The TalkTalk hack from last year is believed to have cost the company £40m, but more than that, TalkTalk lost 95,000 customers as a direct result of the data breach. The FTSE 100 organisation, Sage, suffered unauthorised access to customer information using an internal login. Shares in the company fell as much as 3.9% as a result. The Yahoo hack which led to 500 million user details being stolen actually jeopardised its acquisition by Verizon and at one stage was believed to have wiped £150m off the valuation.
Eliminating passwords has big benefits, not just the increased security it would bring, but the improved, simplified user experience for end-users and fewer headaches for IT and their forced vocation of managing user access to applications. Being asked to reset user passwords is a continual drain on service desk resources.
The quest to remove passwords as the primary means of authentication is nothing new, but it now comes at a time when the number of passwords in use is growing exponentially due to the trend towards cloud services and the proliferation of IoT – simply, we all have a lot more passwords to manage these days. If there was ever an ideal time to kill off the password, it is now.
Passwords’ popularity as an authentication mechanism is the same reason they’re so weak at fulfilling that function securely. They’re easily created, simple and have a low barrier to entry for vendors and users alike – however they also rely, mostly, on end-users to manage the level of security they offer. People who tend to have the least interest in security are entrusted with security when it comes to passwords – that creates risk, especially in a business context. Even passwords that are stronger, more complex, longer, employ entropy etc are increasingly likely to be cracked due to the computing power and tools freely available to crackers. Cracking passwords is a numbers game that is continually favouring the cracker. There’s a plethora of cracking tools freely available to crackers that will help crack passwords over a multitude of different hashing algorithms. An array of GPUs has been shown to be able to make 350 billion-guess-per-second to crack password hashes generated by the NTLM cryptographic algorithm used by Windows. The same system can make around 63 billion guesses per second against SHA1, the algorithm used to hash the LinkedIn passwords, and around 180 billion combinations per second against the MD5 algorithm.
Password fatigue amongst users and businesses has grown in recent years as has the technology capable of replacing passwords. Password alternatives have already gained significant traction for both business and consumer apps – whether it be tokens, biometrics, certificates et al. Alongside the massive proliferation in the desire to create a single point of authentication the methods to replace the password are already achieving this.
Devices and apps in the hands of consumers are already taking advantage of password-less authentication, whether it’s fingerprint or face recognition on mobiles or connecting to 3rd party apps using OpenID and OAuth to remove the need for password authentication.
In the corporate world, federation of Active Directory is used to provide password-less authentication into apps – in an albeit limited scale. Identity Providers (IdPs) extend this functionality by leveraging connectors such as SAML and other token-based authentication methods to provide seamless password-less authentication to 3rd party applications. SCIM can even be used to provide full-lifecycle user management, removing the need for admins to log into service provider apps to provision and de-provision user access. ‘No more passwords’ is the common goal, but it necessitates 3rd party vendors enabling password alternatives within their solutions.
Passwords are being replaced, but they won’t disappear in the short term as legacy systems are still being used that need them and new apps are being created that use them. Many service providers still see passwords as the most cost-effective and accepted method of authentication. How successful would Facebook have been if in its first incarnation Mark Zuckerberg had required the use of biometrics to create an account and authenticate?
So, is the death of the password imminent? Sadly, no. For all their ills, passwords still represent the lowest cost, most mature and accepted method of authentication. However, technology such as My1Login can remove them where possible, and automate their usage where not. My prediction is, while passwords will still be around, they are unlikely to play a major role in end-users’ life in 10 years’ time.
For more information about My1Login, click here!