Why are employees still not following basic security advice?
It's long been recognised that the weakest link in any business' cyber security defences is likely to be the people using it. Straightforward errors by employees are often among the root causes of data breaches, whether this is visiting compromised websites, opening unfamiliar email attachments or falling victim to phishing attacks that compromise their login details.
That's why it's so important for IT personnel to ensure their workforce is adequately trained on basic security procedures, and that these messages are repeated frequently. But even if you do this, you can't always account for the human factor, and no doubt many IT pros will be familiar with the feelings of frustration when these messages don't sink in.
Audits reveal poor practices
This will surely be an issue that the IT department at the government of Western Australia will be familiar with. It was revealed recently that a security audit conducted within the organisation found more than a quarter of officials (26 per cent) used common, easily-cracked passwords on their accounts.
These poor passwords weren't just limited to pet names and simple phrases like 'getmein'. More than 5,000 of the 234,000 accounts examined across 17 government agencies were found to include the word 'password' in some form, including 1,464 users whose login was 'password123'.
Meanwhile, 'password1' was used 813 times, while 184 users weren't even creative enough to add a single additional element and stuck with 'password' as their password. It's enough to get any IT pro to bury their head in their hands in despair.
The list of most-commonly used logins also suggests that even when they don't use 'password', many employees are thinking up their logins in fairly unimaginative ways, as more than 13,000 passwords used variations of the date or season, while the combination '123' cropped up almost 7,000 times. For example, 'October2017' was used 226 times, and 'Spring17' could get you in to 198 accounts.
Western Australia's auditor General Caroline Spencer commented: "After repeatedly raising password risks with agencies, it is unacceptable that people are still using 'password123' and 'abcd1234' to access critical agency systems and information."
Can firms get employees to engage?
What the audit of the Western Australian government clearly shows is that convenience will continue to win out over security for many users. No matter how often IT managers emphasise the need for better passwords, or how many additional requirements they add, people will always find ways around them.
Hackers are well aware of these common patterns. Does a system require both letters and numbers in a password? Adding 123 to the most common phrases will surely find success sooner rather than later. Are both upper and lowercase letters required? Chances are the first character will be uppercase and the rest lowercase. It doesn't take long for hackers to plan for these conditions.
One common method of getting people to think about their password is to require them to change it regularly, but this is unlikely to enhance security. Most people don't like dealing with multiple passwords and will make the bare minimum of changes – so 'password1' becomes 'password2' – or stick to an easily-guessed pattern, such as using the month.
Instead, length may be the key to a good password – but this does not necessarily have to mean a huge string of random characters that no-one has a chance of remembering. The US National Institute of Standards and Technology, for example, suggests using normal English words and phrases that are memorable for users but tougher on hackers.
This can also encourage users to think about passwords by making them more personal – for instance, getting people to think of a four or five-word phrase that means something to them, but will be long enough to make any brute force attack almost impossible?
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.