Can we live without Passwords?
Having to keep track of a seemingly endless list of passwords is a chore that most people find frustrating and difficult. There are social media passwords to remember, login details for a whole range of online stores, and all the security details associated with our daily working lives. It's a list that keeps on growing but, thankfully, new security technologies are emerging that could eventually render passwords redundant. Of course, this will take time. For the foreseeable future, password and security will continue to provide a necessary safeguard against cyber intrusion.
Managing your password and security
The increase in online services has led to a surge in the number of personal and professional accounts. According to a 2017 survey, the average employee now has 191 separate digital accounts - a staggering figure which shows just what a challenge it is. The best advice has always been to set up different passwords for every account, but with such a large number to remember, relying on memory alone is clearly going to be difficult.
Human nature being what it is, it's extremely common for people to use the same passwords for different accounts. More disciplined individuals might use different passwords but often they'll be creating new passwords according to a set (and therefore predictable) pattern. Reportedly, 81% of all confirmed data breaches are due to poor password security.
For employers, this presents a problem. How can they keep their networks secure if large numbers of their workers are logging on using the same passwords that they use for Instagram, eBay, Netflix, Gmail and other accounts?
A Partial Solution
Experience has shown that employee awareness campaigns really do help when it comes to maintaining good security practices. Employers can hold training sessions and make it a formal requirement that staff change their passwords on a regular basis. This can be enforced either by in-house IT staff or by an outsourced IT provider.
Either way, it is important that staff are routinely reminded of the importance of setting new, unique, complex passwords, and that the company infrastructure requires them to do so. Staff may not exactly relish their duty to keep their logins secure, but the commercial risks make this a policy well worth implementing.
Multifactor authentication
Using unique, complex passwords is important, and there are certain services and software packages that make the process easier - although these will, themselves, also require a master password. However, a good and regularly changed password will only afford so much protection so, wherever possible, it's a good idea to back it up with one or more layers of additional security.
Two factor authentication is something that most people will have experienced at one time or another. It's what's happening when you log into a website which then tells you that it will send a pass code to your phone via SMS. You then receive a text and enter the code into the website in order to proceed.
What's going on here is that the website owner is performing a second check on your identity; it has a record of your email and your phone number, and it's using both to verify that you aren't an imposter. The idea here is that someone might be able to hack your email account but it's unlikely that they will also have stolen your phone. Requiring the use of both phone and email gives you 'defence in depth.'
In businesses, the same principle can be employed. Multiple layers of security can be set in place throughout an IT system, so that anyone seeking access must complete two or more separate (but often interlinked) security checks. Typically, multifactor authentication relies on three different sorts of check:
- Type 1: Something we know (Password or PIN)
- Type 2: Something we have (Key, phone or card)
- Type 3: Something we are ( Fingerprints, retinal pattern or DNA)
Properly used, this sort of defence is very robust and reliable, but it is important that each factor is sufficiently secure. Passwords still need to be complex and regularly updated; phones and other hardware must be protected both physically and digitally.
Many systems rely on two of the factors mentioned above, but it's obviously possible to require all three. The disadvantage of that, of course, is that the more checks are required, the more time-consuming the process becomes, and staff / customers could find this frustrating.
This raises a question - whether there are alternatives that offer excellent security without the need for a password.
Looking back at the three forms of security check, it would logically be possible to perform a two-factor authenticated login via the use of a physical object (similar to a debit card or coded key fob) and some sort of physical identity check. This is not so far-fetched: many phones already have facial recognition capabilities and the ability to scan fingerprints, so much of the technical capability already exists.
This would remove the need for a password or PIN, but this is certainly not something that is likely to happen quickly. Widespread adoption would require the roll-out of new hardware, software and procedures on the part of online retailers, service providers, banks and employers, so any transition would inevitably be gradual.
For now, employers will still have to rely on password and security as a vital part of their cyber security regimes. Staff awareness is crucial to the reliability of network security measures. For any company concerned about its vulnerabilities, raising awareness is certainly the most important first step.
Cyber Security Awareness
The information in your organisation is unlikely to be completely secure unless your employees are trained in password and security awareness. That's why we have developed a one-day Cyber Security Awareness course.
The aim of the course is to reduce the probability of lapses and security breaches by making ordinary (non-expert) staff aware of good security practices, as well as defined policies and procedures. (If you have no formal password and security policies in place, we can help you with that too.)
The course ensures that your assets are better protected, and will help to increase customer and employee confidence in your business.
To book a place, please call us on 0800 368 7730. or Contact us below.
Take a look at The Case of the Sidetracked Solicitor & The Case of the Car Sale Con