The regular occurrence of cyber-attacks is creating a cyber arms-race between the IT industry and malicious hackers. The new threats that are appearing daily mean that designs that were once acceptable are no longer suitable to keep up with the pace of today's digital economy - the password is a perfect example of this.
In fact, Bill Burr - the author of an influential guide to computer passwords - says he now regrets several of the tips he gave. Popularising his best practice back in 2003, he had initially suggested that users change their passwords every 90 days, muddling words by adding capital letters, symbols and numbers. With this logic, a secure password might look something like ‘S3cUre*'.
Burr has recently acknowledged that he was “barking up the wrong tree”. Current guidelines no longer recommend frequently changing password, as people tend to respond by making a couple of small alterations to their existing passwords - for example, changing "password1" into "password2" - you'll agree that these are fairly easy to deduce.
Now, the National Institute of Standards and Technology (NIST) suggests that IT departments should only force a password change when there's been some kind of security breach, to avoid incremental changes. Another recommendation is to favour long phrases, rather than short passwords with special characters.
But if we delve a bit deeper into the concept of the password it becomes clear that this protocol on its own is not enough to protect an organisation's data, even if you follow best practice.
Why is this? Let's consider each and every time we have to sign up at a new website, open a new app, or log in to our emails at work, here we are confronted with the challenge of what we should enter as a password. Naturally, our human nature comes into play and a number of thoughts go through our mind:
· How often will I access this?
· How sensitive is the data within it?
· Do I really want to remember yet another password?
Far too often employees opt for the route of least resistance and simply replicate and use an existing password so that they can access business applications and systems faster. But here lies the issue. Passwords that are easily entered and remembered are inherently weak and can be easily second-guessed and compromised by a hacker.
Critical business data comes from a multitude of sources – your board, your customers, your partners, but it often shares one important characteristic: if this information is compromised the consequences can be far-reaching and severe.
Conducting a full IT security audit can help to mitigate security risks and identify where certain elements need to be adjusted, especially if you are just using the traditional password to protect your sensitive data. If this is the case, it's a good opportunity to explore other options, such as identity management software and multi-factor authentication.
The results from your analysis can help remove complacency of existing cyber-security systems, and also indicate whether possible legacy systems are still able to handle modern-day threats. An audit has the ability to analyse where the vulnerabilities are across all areas of interest, including physical network access, server systems, physical access, and human behaviour, thus providing a clearer picture to make improvements.
Contributed by Kevin Timms, CEO of EACS.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.