Are user behaviors putting your business at risk?
Inevitably, the answer is always “yes”. But some of the risk can be avoided and users can be made more resilient through coaching, training, and a little bit of psychology.
A resounding number of users know and admit that they hold a stake in data and network security at their jobs, but a surprisingly small number actually take action to mitigate the risks they control.
79% of users agree that compromised passwords are concerning, and 92% of them know that using the same password variation increases the threat. But only 45% of these users changed their passwords in the past year when a breach occurred. (LastPass user survey results from 2020)
An even more alarming fact are how users treat passwords. Unsurprising, the majority, ~68%, said their financial accounts should have the strongest passwords. Surprisingly, only a small minority, ~32%, said their work related accounts should have this same treatment. (LastPass user survey results from 2020)
8% of those surveyed said passwords should not have ties to personal information. Only 8%.
Training Users Passwords
Mandates are a pain, but they sometimes are necessary. When it comes to company data, it is strongly recommended there is no “My Password My Choice” grey area in company policy.
Should a user make their own personal password? Yes, but strong password requirements and guidelines should be in place. As your IT Consultant, we can put in place hard requirements like passwords must be 8 characters or more, must contain a capital letter and number, and must not match previous passwords. But some requirements come from you the employer. You should enforce that passwords are nonsensical, peppered with numbers and symbols as opposed to individual words. Passwords should contain no personal information that can be found publicly available on the internet, such as facebook.
We can’t train a computer to recognize these patterns, at least not yet, but there are prime opportunities that show themselves from time to time that can be used to coach users on their passwords. For one, when we first setup a user, we will make recommendations on their password. I.E. “Please set your password here. It should have 8 characters, at least, and contain a lower-case, upper-case letters, and a number or symbol. You should try not to use anything personal like a birthday or anniversary or name.” Other opportunities may come up when IT is not involved, such as when a user makes a small comment in relation to their password and reveals it contains a birthday. Supervisors and management should then coach the user to change the password to something less personal, and nicely let the user know it is against company policy to have such information as a password.
On a side note, unless a breach has occurred, we do not recommend taking formal action against a user in regards to their password and company policy. Maybe if the problem continues over numerous issues, or something malicious happens, but based on simple conversation is bad idea. We feel this will create an office culture that is negative and hurtful as opposed to positive and secure.
“Coaching” instead of “Mandating”
Some mandates are good, but too much regulation will cause problems as well. It used to be recommended that company policy dictate passwords were changes every 90-180 days. This policy recommendation can backfire in nasty ways. First, users would circumvent the policy by changing their password, and then changing it back shortly after. Server software was then trained to recognize and prevent this behavior, but users found another way around. One example was users would change their password the current season and year. But then everyone in the office was somehow informed of this trick, thus everyone’s passwords soon back things like Fall2021, Spring 2020, Winter2022… can you see the problem?
We prefer to coach users on security rather than mandate it. Sure, somethings need to be mandated, for instance users must have a password. But when it comes to other requirements, it is better to recommend them and give the user some responsibility.
Many years ago when I umpired Little League Baseball, we were taught to tell the catcher when they came out how many practice pitches to give the pitcher and to tell the umpire when they were done. Interestingly, giving the catcher this small amount of responsibility empowered the 12 year old to literally help you, the umpire, keep the game moving timewise. The player was now partially responsible in managing them game, and the umpires didn’t have to pay 100% attention in between innings.
This coaching effect can be used with users and security. By coaching the users to set strong passwords with no ties to personal information, users will feel empowered and responsible to maintain their own account security. This empowerment forces users to make their own password method. In turn this helps prevent users from sharing their password and password method to others, further strengthening their own account security.
If you just mandate requirements, users will actually feel more empowered by sharing their tricks to circumvent the rules… and that leads us to bad places.
How to simplify this for all.
Password Managers, specifically Enterprise Password Managers.
Using a password manager users will only need to remember one (1) password, their master password. All other passwords can be random. A long random password is incredibly difficult to guess and hack. By using a Password Manager, users no longer need to come up with a method to remember their passwords, and no longer need to rely on memorable personal information in those passwords.
But passwords themselves are hackable. For instance, a password that is 8 characters long and is only numbers will be hacked instantly, on average, to guess by a computer. A password with 8 Numbers, Upper and Lower-case letters, and symbols would take 8 hours. That is still pretty quick.
You know what authentication method we have now that makes it impossible to guess a password? Multi-factor Authentication. Or MFA / 2FA for short. You probably use MFA right now for some accounts, such as bank accounts. The text they send you with a code, that is MFA.
Even if a hacker guesses a users password, they still can’t get that code. Password Managers have built-in MFA systems that simplify this process for many websites with MFA functionality.
St. Aubin and MFA
For the record, St. Aubin Technologies mandates the use of a Password Manager, LastPass, as well as MFA on all accounts that support it. Even our MFA text system to receive MFA text’s requires MFA. If we could put MFA on our door locks, we probably would. Of course, that all comes with a cost and a little bit of inconvenience. But we put our clients security first, shouldn’t you?