Who is responsible for enforcing password etiquette in your business?
Malware hits the Mac but is it worth worrying about?
It was hardly a surprise that using more than one password led to a data breach last week, perhaps the greater surprise came that a pupil had intercepted the password and accessed two databases.
This leads to the question of who is responsible for enforcing password etiquette? After all, if the person in the school had been prevented from using the same password twice the damage would have been halved.
According to research by Quest Software, 42 per cent of professionals regularly compromise data security for an easier life, yet many do not necessarily realise that they are breaching any policies.
Phil Allen, EMEA director of identity and access management at Quest Software, said that news stories do focus people on IT rules, but regulations can be broken causing serious concerns for the organisation around data security and access to privileged data.
He said: “Employees are often positioned as ‘intentional rule-breakers' which I think is largely inaccurate. Many employees aren't even aware of the tight restrictions around accessing and sharing data inside and outside the organisation. Most of the time they are thinking about how to get the job done in the quickest way possible and are often unaware of the importance of the information which they have been granted access to or which is under their control.
“I'd be surprised if anyone outside of IT actually considered whether they were following a process correctly or gave a second thought to the long-term implications of their actions or the damage the loss of some of their day-to-day information will cause.”
He said that various data breaches raise the question of who is actually responsible for enforcing information-sharing etiquette and management within organisations to ensure that these types of data breaches do not occur.
“Should it be the responsibility of IT to educate employees or is it a much wider business management issue? I would argue that it is both and it is not only around the importance of education of the processes, it is also raising the awareness that we all have daily access to information which can breach privacy rights, intellectual rights or cause financial damage if not handled correctly,” Allen said.
Marc Lee, EMEA sales director at Courion, said that there is no golden rule to achieving consistent password policy enforcement within organisations, but the CIO and IT management team should be responsible for determining an organisation's password policy, including its communication and enforcement.
He said: “A common practice within IT departments is to designate individuals who have responsibility for information technology resources and who need to make sure technical support staff secure computers and other electronic devices in accordance with the company policy.
“Furthermore, department administrators should be involved in disseminating password management guidelines and ensuring their entire unit understands and complies with them. Some organisations may leverage internal training and/or communications team to help ensure policy awareness and adoption.”
In agreement was Robin Hill, co-founder of security management and compliance firm RandomStorm, who said: “Overall responsibility for password security has to fall with the CSO or other C-level board members who hold responsibility for security in the organisation. However it should be enforced by the data owner and other line managers involved with the resource that is being protected.”
He also said that another problem is that where a strong password policy has been enforced, users resort to a common password so that they do not forget it.
“Systems can be used to automatically enforce best practice in password security, but you do have to be careful as they can create a management headache, with users forgetting passwords,” he said.
“The key solution is to keep educating users in all organisations, so that they are aware of the enormous risks posed by using easily guessed passwords and by sharing passwords between applications or employees.”
So is it a case of the employee being the weakest link and the biggest threat to a business? Not according to Christopher Miller, CEO of PasswordGear, who said that he felt that senior people are usually the worst offenders ‘because they know they can get away with it'.
He said: “The main factors causing passwords to be bad security include apathy, laziness, gullibility and sheer bloody mindedness against being told what to do by people in IT. These are all human factors. Typically, IT departments are really good at technology, while CEOs and sales departments are really good at persuading humans to do what they want, but they are the worst offenders when it comes to password violations.”
What should you do to change this problem, if there is not someone who is responsible for enforcing password etiquette? Miller said that instead of using even more complex authentication systems to baffle and annoy users, all users need to learn the language and methods of communication that will engage and persuade all types of personality and computer user.
He said that any change needs to be ‘enthusiastically' sponsored by senior management in order that it is taken seriously. It should be treated like an internal marketing exercise, using sneaky marketing tricks to get buy-in and fear of consequences to cement compliance.
He said: “Monitoring is not easy because it starts getting very complex to monitor compliance across systems that are not integrated, so it is all the more important that the training and architecture demonstrably makes things easier for people to use different passwords on different systems.”
Allen said that if employees are constantly turning to online public applications in the workplace, then internal tools are not effective. “As the guardians of information, CIOs need to rethink how they deliver IT services and tools to employees in order to offer a better and more convenient service which meets both the end-user and business requirements so that they can get their jobs done more efficiently whilst not introducing unnecessary risk,” he said.
“Business managers also have a large role to play in educating employees on the value of the rights they are granted, the information they have access to and reinforcing rules about etiquette, particularly when business-critical data is concerned. Responsibility certainly can't just fall on IT. Both need to work hand-in-hand for progress to be made.”
Lee said that it is more than who is responsible for enforcing password etiquette; it is about the number of ways in which technology can help IT staff to implement a consistent password policy across the organisation and ensure compliance.
He pointed to password management solutions that can be used to define and automate password policies, for example establishing requirements for password length and complexity across the organisation.
He said: “Educating staff about IT security measures and creating a strong password management policy is only the first step to enforcing password etiquette within organisations. To ensure consistent implementation across heterogeneous mission-critical systems, companies need to adopt robust password management solutions that enable automated password provisioning and policy enforcement.”
It seems that no one person is responsible for enforcing password etiquette, as in many instances it really comes down to each individual business and their staff and compliance position.
However could it be possible to assign a member of your staff to be a password security champion and roll out policies internally to ensure that you do not become the next headline in this area? Sometimes it is better to try than not at all.