There are many ways that users within companies can access data. This includes the ubiquitous user name and passwords entry method, and more recent means of access like smart cards, tokens and various biometric keys. Despite the multiple forms these methods can be misused by employees, not least through sharing passwords or writing key information and sticking it onto a post-it note.
According to a report by IFP Technology, despite companies issuing statements and running training courses about data integrity, these loose practices by employees remain rife. Research conducted has shown a post-it password culture whereby 30 percent of staff members admit they write their passwords down.
To add to this, a recent study by Dell unveiled that 70 percent of IT professionals are of the view that employee ‘workarounds’ to avoid IT security measures stands as the greatest risk to any organization. A common reason for this is simply ignorance. No matter how many times a company attempts to reinforce a password policy, around two-thirds of employees state they are unaware of the rules and conditions.
According to Mike Hanley, who is the Program Manager at Duo Security and who is quoted in the IFP Technology report, more rule-making is not the answers. Instead face-to-face training and education is the key to unlocking security success. The IT specialist advocates education based around “security hygiene”. Here the essential company-specific security observances need to be demonstrated and assimilated by all staff at all levels within the organization.
Once a level of maturity has been embedded, then the issue of the passwords themselves needs tackling. This means avoiding use of easy-to-remember passwords and stopping the practice of people having duplicate passwords across different accounts. Any good security policy, the report states, should require staff to create complex passwords that are unique in terms of accessing different systems.
A further protective measure is ‘throttling’, which is an IT colloquialism for having systems configured to allow users only a finite number of attempts to enter their correct password; after this the account is locked.
Policies also need to be updated to address the increase of cloud computing. In addition many companies allow the practice of BYOD (Bring Your Own Device), allowing employees to use their own smartphones, tablets and computers in the workplace. This can be addressed through the use of virtual private network (VPN) software to provide encryption, a process that also offers protection in the case of employees carrying remote working.
