"Positive user experience is lacking when dealing with passwords, never mind with multi-factor authentication. The culture surrounding authentication is confusion. Users aren't aware of why they need to care, and therefore they don't. For companies to stay vigilant, they need to make users more aware and bring the fire closer to your employees (bring them closer to the risk). They need to build awareness focused on personal accounts."Here's how your company can build a proper password security policy at the workplace.
Establishing Personal Password Security PracticesCreating strong passwords isn't as difficult as remembering them and saving time when you're attempting to log into one your accounts. Fortunately, we are well past the days of having no option but to write all of our passwords down in a Word document. We can now download password managers, software which stores our passwords for us and auto-fills our login information whenever we visit a saved website. According to Brad Winckler, a researcher in Tripwire's R&D organization, password managers streamline our web account security and can help employees make other secure decisions, like creating harder-to-guess answers to their web accounts' security questions: Additionally, no one should ever pass up an opportunity to take advantage of additional layers of security. That includes implementing two-factor authentication (2FA). Winckler couldn't agree more:
"I can't mention secure passwords and secure security questions without also reminding everyone to enable two-factor authentication for any online site you use that supports it. You can check many popular sites and services for two factor authentication support at https://twofactorauth.org."
Integrating Password Security into the WorkplaceOnce companies have impressed their employees with the importance of choosing strong passwords for their personal accounts, they can develop policies that all employees must follow with regards to their business emails. Rose elaborates on that point:
"Companies need to actually implement a proper password policy that can be validated! That includes implementing multi-factor authentication as well as showing users what a secure password is and is not."With a policy in place, all that remains is for organizations to evaluate their employees against those standards. Rose feels companies can best accomplish that goal by implementing security training on an ongoing basis:
"Organizations should also run exercises to proactively check if users are following your guide, make the culture positive, and never attack a user who isn't aware. Think of yourself as the big sister or brother who has years of wisdom in cyber security. You want to protect and teach users. If the human aspect is the weakest, train it not to be."
ConclusionWe've all heard rumors that passwords are dead and that something will soon replace them. But that hasn't happened yet, partly because those means of authentication carry their own risks. Angus Macrae, Certified Information Systems Security Professional (CISSP), weighs in:
"Whilst we can expect biometrics combined with the likes of location and contextual behavioral analytics to become more reliable and commonplace [than passwords], these will only be as good in terms of both the security and user experience they offer, as well as the way in which they are implemented, maintained, and monitored. The Office of Personnel Management (OPM) breach has clearly demonstrated how a compromise of insufficiently protected biometric information can be far more devastating to recover from than a straight password haul. After all, there is no quick way to immediately reset everyone’s fingerprint."With that in mind, Macrae feels it's up to the security community to make it easier for users to make the right choices regardless of the authentication method. That includes instructing them about available authentication technologies (password managers) and teaching them to care about their personal accounts so that they can take the security of their business emails seriously. This post concludes Week One of NCSAM 2016. Stay tuned for Week Two, when we will examine how employees can help build a security culture at their organizations.