7 April 2015 | 0
The story regarding people’s willingness to give up corporate passwords is yet another chapter in the ongoing story of the human being the weakest link in the corporate security chain.
The story is based on a survey of 1,000 users worldwide in large organisations, and it reports that that one in seven would sell their password to an outsider for as little as $150 (€137), but the report cites an earlier UK survey (2012) that found almost half of respondents would sell their corporate passwords for less than £5 (€6.81), while 30% would sell them for just £1 (€1.36).
While it is pointed out that these surveys are far from scientific and respondents often self-select for participation, it is still indicative of a problem that exists in large enterprise in particular. That problem is a lack of awareness, understanding and personal investment in information security.
These surveys clearly show that corporate users often do not understand the consequences of poor password security, which manifests in several ways. One of these is the often cited weak password problem. This is where passwords are so weak as to be effectively useless — classics are ‘123456’, ‘password’ or ‘letmein’. Another is the password on a Post-It on the machine. But another manifestation is a willingness to give up that password to a random survey taker encountered in the street, train station, underground or café for the craic, for academic purposes or, famously, for chocolate.
The story points out that access to a lowly account seems like very little to give away, particularly for someone who works with data that is not perceived as being particularly sensitive. Academic Christopher Frenz, New York City College of Technology, said that often users do not understand that such an account could provide ‘a doorway’ to be used as a staging point for access to more sensitive data through privilege escalation techniques.
Muddu Sudhakar, CEO of security firm Caspida, said that he suspects workers know that if their personal passwords were compromised, the consequences would be certain and severe, while they might view a corporate password as, “someone else’s problem or think there might not be a consequence to misusing it.”
“With so many people thinking that it is solely the IT department’s responsibility to keep things safe, they are abdicating responsibility themselves”
And this introduces a very important element of the debate — responsibility.
In the April issue of TechPro there is a survey feature, in association with DataSolutions, that looks at managing risks around information security.
Not wishing to give too much away ahead of the magazine, the survey asked its 171 respondents whom did IT users see as being responsible for minimising cyberattack and/or IT security risks.
Nearly half said that it was entirely the IT department’s responsibility. This is a fairly damning response that shows that there is a distinct impression that the average user in corporate environments does not fully understand their own part in keeping things secure.
With so many people thinking that it is solely the IT department’s responsibility to keep things safe, they are abdicating responsibility themselves, which manifests in all the terrible things highlighted above.
User buy-in is a key part of information security, and that starts with the user’s very first interaction — log-in. If the mechanism is onerous, or perceived as pointless, the user will not engage. If the system repeatedly refuses their password efforts then frustration will set in and subversion will follow.
Education, awareness and engagement can be combined to combat this and ensure that users understand why they are being asked to create the type of passwords required, or use the ID tokens, or have their fingerprint scanned. By letting users know their part in the security equation, they will feel involved and engaged, and consequently, more willing to do what is necessary to support the security efforts.
This buy-in, and an understanding of what can happen when it fails, will hopefully combine to ensure that when one of your users is accosted in public with the proposition of passwords for the craic/academic research/chocolate, they will understand the consequences, refuse the offer and report that incident.