Why are employees still not following basic security advice?

Image credit: iStockphoto

It's long been recognised that the weakest link in any business' cyber security defences is likely to be the people using it. Straightforward errors by employees are often among the root causes of data breaches, whether this is visiting compromised websites, opening unfamiliar email attachments or falling victim to phishing attacks that compromise their login details.

That's why it's so important for IT personnel to ensure their workforce is adequately trained on basic security procedures, and that these messages are repeated frequently. But even if you do this, you can't always account for the human factor, and no doubt many IT pros will be familiar with the feelings of frustration when these messages don't sink in.

Audits reveal poor practices

This will surely be an issue that the IT department at the government of Western Australia will be familiar with. It was revealed recently that a security audit conducted within the organisation found more than a quarter of officials (26 per cent) used common, easily-cracked passwords on their accounts.

These poor passwords weren't just limited to pet names and simple phrases like 'getmein'. More than 5,000 of the 234,000 accounts examined across 17 government agencies were found to include the word 'password' in some form, including 1,464 users whose login was 'password123'. 

Meanwhile, 'password1' was used 813 times, while 184 users weren't even creative enough to add a single additional element and stuck with 'password' as their password. It's enough to get any IT pro to bury their head in their hands in despair.

The list of most-commonly used logins also suggests that even when they don't use 'password', many employees are thinking up their logins in fairly unimaginative ways, as more than 13,000 passwords used variations of the date or season, while the combination '123' cropped up almost 7,000 times. For example, 'October2017' was used 226 times, and 'Spring17' could get you in to 198 accounts.

Western Australia's auditor General Caroline Spencer commented: "After repeatedly raising password risks with agencies, it is unacceptable that people are still using 'password123' and 'abcd1234' to access critical agency systems and information."

Can firms get employees to engage?

What the audit of the Western Australian government clearly shows is that convenience will continue to win out over security for many users. No matter how often IT managers emphasise the need for better passwords, or how many additional requirements they add, people will always find ways around them.

Hackers are well aware of these common patterns. Does a system require both letters and numbers in a password? Adding 123 to the most common phrases will surely find success sooner rather than later. Are both upper and lowercase letters required? Chances are the first character will be uppercase and the rest lowercase. It doesn't take long for hackers to plan for these conditions.

One common method of getting people to think about their password is to require them to change it regularly, but this is unlikely to enhance security. Most people don't like dealing with multiple passwords and will make the bare minimum of changes – so 'password1' becomes 'password2' – or stick to an easily-guessed pattern, such as using the month. 

Instead, length may be the key to a good password – but this does not necessarily have to mean a huge string of random characters that no-one has a chance of remembering. The US National Institute of Standards and Technology, for example, suggests using normal English words and phrases that are memorable for users but tougher on hackers. 

This can also encourage users to think about passwords by making them more personal – for instance, getting people to think of a four or five-word phrase that means something to them, but will be long enough to make any brute force attack almost impossible?