post-it

How to Stop ‘Passwords on Post-its’ Syndrome

For decades, written credentials such as usernames and passwords have been the primary form of authentication in the enterprise.

Alternative forms of electronic identification have come to the fore, such as smart cards, tokens and various biometric keys, but to date this technology has never come close to the simplicity, user-acceptance and functionality of the humble password.

However, as we increasingly equip our lives with technology – think the Internet of Things – the need for user accounts, passwords and answers to security questions is at an all-time high.

In such a climate, it’s easy for employees to become complacent about how they use and record passwords. It has led to a post-it password culture whereby 30% of staff members actually write their passwords down. If keys are not literally being written on little yellow tabs and stuck to computer monitors, then they may as well be.

This culture is nurtured by the can-do attitude of staff in the corporate domain, who in their infinite efficiency, are able to work around security features. But a study by Dell has found that nearly 70% of IT professionals consider employee workarounds to avoid IT-imposed security measures as the greatest risk to an organisation.

How IT departments can shore-up digital security

  • Improve company-wide awareness on company policy

A telling statistic finds that 61% of people are unaware of their company’s password policy, or even if the company has one. Without clearly defined password usage guidelines, the importance of passwords can be overlooked, and employees can be left without incentive to take anything other than the path of least resistance – a simple password that is easy to remember and easy to work out.  

Workers are far more likely to embrace and develop a security conscience if a strong policy is supported by education on the need for it and how security works. Mike Hanley, Program Manager at Duo Security, advocates teaching “security hygiene” whereby basic, company-specific security observances are demonstrated and assimilated by staff in order to reduce the strain on IT resources.

With just 39% of surveyed staff saying that their business has a clear password policy, it is critical that organisations establish strong policies and communicate these in formal sessions to staff to ensure whole teams are on the same page. 

As the number of workers’ digital access points increases, the use of easy-to-remember passwords, together with the use of duplicate passwords across a number of accounts, is on the rise. This poses a huge threat to even the best security systems. Policy should focus on stamping out laziness by forcing staff to create complex passwords that are unique to one account.

  • Continuous IT training

Organisations’ online security will only ever be as good as the staff members who uphold it. As Cheryl Biswas, IT coordinator at JIG Technologies recommends, ongoing commitment to IT security will help it to become a high-profile and approachable subject.

Individual security topics should be broken up into training sessions. For example, a class could look at how to spot suspicious links, and potential threats can be analysed using tools such as URLQuery.net.

Monthly newsletters can broadcast bite-sized articles or tips on IT security which complement the information of dedicated training sessions. These can then be compounded by periodic tests to evaluate and address user awareness if necessary. 

Companies need to get away from awareness on digital security being limited to shared links, to good practice guidance online; such a nonchalance will inspire the same casual attitude among staff members.

  • Enforced login behaviours

Better password practice among individual employees can be strengthened if IT teams improve the online environment, with enforced safeguards such as account lockout and throttling. Systems should be configured to allow users a finite number of attempts to enter their correct password before their account is locked out.

Blacklisting passwords can be an effective backup tool, while protective monitoring also serves as a strong defence against forced attack and can be a workable alternative to account lockout.

  • Mobile users

The proliferation of cloud technology, remote working and any number of mobile devices means mobility policy is now essential for organisations wanting to maximise their IT security. Around 55% of US-based firms now have such policy in place for BYOD (bring your own device) users, a trend that is only set to increase as employees engage more with smartphones, tablets and computers in the workplace.

Improved protection should be given to remote or BYOD users, such as a two factor authentication system. Unfortunately, security layers are considered a hindrance to productivity. IT departments should be aware of this and be vigilant in removing users’ ability to disable security features.

Consider setting up a system that will grant secure access to your organisation’s network for remote workers. Technologies such as virtual private network (VPN) software encrypt remote workers’ data and can operate alongside tools that ensure remote computers are running with current security patches and correct configuration.

Recent improvements in VPN technology have allowed for higher levels of encryption and the technology is available on more hardware than ever before. Opting for an SSL VPN can allow users secure access without the need for installation of bulky client software. However, compatibility with legacy operating systems or hardware might be an issue so be aware of potential compatibility problems before committing to a solution.

Conclusion

Organisational cyber security is not solely down to password usage, but depends on every group within a company working in sync to embrace new techniques and mind-sets that support safety in the online domain.

With training and improved awareness, companies can begin to foster healthier and more educated attitudes towards security, in which all parties have a stake.

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals. To view more Management content, click here.

Insights for Professionals