Despite regular reports heralding the death of the password as we currently know it, it will likely be a long time before passwords are considered a thing of the past. In today’s IT environment, passwords remain the most effective and user-friendly way for an individual or organization to secure their mission-critical accounts.
Words and letters of meaning are far easier to recall than numbers – hence the common recommendation for using a passphrase to better secure accounts. This is also why people frequently forget their pin codes, for example. Moreover, while biometrics have a role to play and are increasingly being used, they continue to be device- and endpoint-centric, whereas passwords are device-agnostic. Biometrics are also not as easy to change as a traditional password, once compromised.
The best approach to security is multi-layered – taking full advantage of the spectrum of tools and best practices available. So until every application and system has moved off the password path, it is critically important that we manage them appropriately.
Beware of the ‘Domino Effect’
It is unlikely that you will have missed hearing about some of the more recent security breaches. Facebook, USPS and British Airways – to name a few. What about the older breaches? Surely, we have moved out of the danger zone as a result of those more historic incidents, right? Wrong. We are increasingly seeing the data breaches of the past creating even more data breach troubles in the future. Dropbox is the perfect example of this. The company was breached nearly six years ago and nearly 70 million accounts were impacted. That is not a small number. But what is even more interesting – and we have been warning companies about this for a while – is that this breach was tied to a different, also very high-profile, breach.
The Dropbox employee whose password was exploited in the breach originally had his password exposed in the now infamous LinkedIn breach in 2016. This illustrates an interesting ‘chaining’ or ‘domino effect’ that data breaches can have across multiple organizations. This is just the tip of the iceberg. Who knows how long until we hear about the next breach in the chain? Unfortunately, this has been accepted as the status quo – we found last year that three in five organizations expect to be breached within a year, and 29 percent believe they would not even know they were breached when it happens.
People are still not managing their password security policies properly – whether they are unable to due to work or time pressures, or lack of access to cybersecurity training. Our recent Market Pulse Survey found that 75 percent of employees reuse passwords across different accounts, including work and personal accounts.
For this reason, we have created a step-by-step guide for businesses to guide them through putting preventive measures in place to stop the ‘domino effect’ from taking hold.
Say “Yes” to Regular Updates
“Remind me tomorrow” is not an option you should continue to click, day-after-day on that critical software update notification. Ignoring updates is something everyone has probably done. We all lead busy lives, with an abundance of emails and notifications clamoring for our attention daily. You may believe that you are too busy to wait for your phone or computer to reboot, and then once it is back up and running, you might have to log back into your accounts. However, the reason for software updates is not always to give you shiny new features, but rather to fix issues you cannot see that make your information vulnerable. A weakness in the software you are using is a weakness in security.
Take Advantage of Multi-Factor Authentication Systems
Multifactor authentication (MFA) is a security system that requires at least two methods of authentication to verify the user’s identity for a login or other transaction. It has the benefit of balancing security with user convenience by combining something you have – like a mobile phone – with something you know – the name of your first pet or school teacher. Sites like Google and PayPal offer these services. The result is ultimately to increase assurance that the right person is gaining access and is becoming an increasingly common method of security control. There is also the added option of verifying changes to high-risk user information through a phone call, text or email. When offered as an option, you should always enable MFA for your accounts.
Refresh Passwords (and make them strong)
Everyone has multiple accounts, from email to bank accounts and social media, so it is not unreasonable that most people end up using the same passwords across sites. This practice is alarming for obvious reasons, especially given how many hackers have turned their attention to actively exploiting the human vector. In addition to making sure your passwords are strong, you should update them periodically as well. Some sites recommend or even require that you change your password when they sense a security threat or when a breach has happened. Others rely strictly on your initiative. Implement your own good governance and refresh your passwords as often as practically possible to ensure you do not fall foul of the domino effect.
Always Wear Your Security Hat
People are an organization’s biggest security threat. Social engineering and human error have been the cause of many major data breaches. Always be aware of where you are on the Internet or in your email accounts, and take specific note of anything and anybody that asks you to ‘log in’ or provide any ‘secrets’ or personal information. Look out for HTTPS-enabled websites in your browser’s address bar. If you do not see a little lock next to the URL, be aware that it is not secure and proceed accordingly.
Manage Access and Identity
Protecting identity is the key to the safety of our data, the security of sensitive company data and to the safety of sensitive data elsewhere in the organization that may not even be linked to you. Understand who has access to what, what they are doing with that access, and manage that access throughout each users’ lifecycle. Do this, and you will be on your way to smarter, stronger, and more proactive identity and access management, as well as a stronger overall IT security posture within your organization.
About the Author
Juliette, CMO of SailPoint Technologies. She started her career as a strategy consultant at Bain & Company San Francisco and Arthur Andersen France. She also has held executive positions at some of the world’s largest technology companies, including Oracle, CA, Business Objects-SAP and Check Point Software.
She brings energy and pragmatism to SailPoint in her role as CMO. Juliette’s strong track record has helped the company’s revenue growth. Her philosophy underscores the importance of a close partnership with all sales channels, direct and indirect, with constant creativity and the ability to think differently than competitors do.