Ever since the commercialization of the World Wide Web in the late '90s, passwords have been a front-line security method for doing business online. Yet, despite huge advances in technology, password practices for the majority of people have not evolved that much. It is another example of human beings being the weakest link where data security is concerned.
Today everyone from office workers to IT administrators routinely uses passwords as a way to authenticate their identity when accessing privileged online or network content. The only difference is that now they are using them with mobile devices, social media and cloud-based applications to conduct business without walls. This puts businesses at increased risk of a data breach. News headlines like the hacking of a British shoe retailer or large scale attacks on companies with millions of online members usually point to the loss or compromise of passwords as a common factor.
According to recent research by AVG partner Centrify one-in-three users neglects to secure their devices while poor password habits put their employer's data at risk. On this evidence it's fair to say conventional password use is no longer fit for purpose in the 21st century and businesses must adopt additional measures to ensure their passwords are up to the task. In my view, many of the user identity breaches reported in the news could have been prevented if better password practices and stronger, multi-factor authentication methods were in use.
Extra layers of protection
Extra layers of authentication are essential to check the authenticity of password users. The sooner businesses large and small start to enforce these across the board - especially where use of bring your own device (BYOD) mobile technology is standard - the sooner they can drastically reduce the risk of data breaches.
Here are my five top tips for better password management in 2015:
1. Turn on "two-step authentication". Most mobile services now offer a simple code based system that sends you a numeric password by SMS/Text to secure your login credentials
2. Some mobile phones now provide both identity and access management capabilities. Encourage employees to adopt these and incorporate them as part of your BYOD policy.
3. Make sure company security measures include formal staff training on password best practice. Passwords need to be strong, long and as secure as possible - avoid basic, easy-to-crack passwords. Instead complicate them by using "passphrases" rather than individual words - e.g. rather than "spotthedog" use "5p0tth360g"
4. Why not create a single profile for all corporate log-ins, with segmented privileges for individual employees within the same profile. This way, when someone leaves the company, they can be removed automatically.
5. To aid productivity, make it easier for employees to work anywhere, anytime with mobile technology by moving to a single sign-on environment where every employee has one-click to access to a secure area in the cloud containing all of their work accounts and applications.
Don't leave it up to employees
Employee education helps, up to a point. But technology - so long as it is simple to use - will always be a more a trustworthy defence against hackers than human beings. The reason for this is simply human nature. Elsewhere in the Centrify survey respondents said that managing passwords was high on their list of "most annoying things". For the British, forgetting a password for an online account (47%) is more annoying than misplacing keys (43%), a mobile phone battery dying (39%) or getting spam email (38%).
Data breach stories in the media are a constant reminder that business needs to do better when it comes to password security. Poor password habits are behind many of the breaches in question. Any business with a mobile workforce that regularly accesses company-sensitive systems and information from their own devices needs to quantify the risks and take whatever steps are necessary to ensure best practice is standard where passwords and reliable authentication are concerned.