Millions, even billions, of dollars are being spent on network security every year, yet end user error continues to be the biggest threat to electronic information security
Mohammad Ismail is Middle East area manager, online authentication and enterprise security, Gemalto.
Published Monday, 28 May 2012
Millions, even billions, of dollars are being spent on network security every year, yet end user error continues to be the biggest threat to electronic information security. Mohammad Ismail says organisations must have clear password and authentication policies, and should consider methods such as dual factor authentication and biometrics.
By Mohammad Ismail
It never ceases to amaze me how, every year, millions of dollars are spent on network security architecture to protect enterprises from hacks and malicious attacks. Players from outside the network constantly patrol and probe for vulnerabilities and cracks to exploit.
It turns out, however, that most vulnerabilities are actually created from within the network’s defences by user error. These holes in the security system can be easily plugged, thereby saving cash and valuable data. A little common sense and diligence is all that’s required.
As people continue to choose ‘12345’ or ‘abcde’ as their network password, knowing full well the value of the information sitting on the network, we can come to the conclusion that security policies are either not present or more probably, not being followed.
Further to that, I would recommend that IT managers and their executives adopt a ‘two factor authentication’ structure and look at it as an absolute necessity, rather than a luxury.
Just recently, the Wall Street Journal reported on the ten year long hack of Nortel, and how that could have been easily prevented. Hackers stole passwords from executives and used them to gain complete access for almost a decade.
Someone should have told their IT department about the need to change passwords more frequently. Believe it or not, 33 of the 78 compromised e-mail addresses used passwords that were either ‘12345’ or ‘123456’ – as simple as it gets.
I have no intention of trivialising such events, or making light of the serious issues digital security professionals face in their day-to-day task of protecting networks.
I believe we need to pause and think about what lessons can be learned from the headlines that never seem to go away. Here are five thoughts on how to better secure the user and their access to the network.
- Use an additional user verification device. This is ‘something you have’, like a key card, fob or mobile device. A physical token is something you own. If you lose it, you must notify your supplier immediately.
- Use a PIN with the device. This is ‘something you know’, like a one-time-password (OTP). One-time-passwords are unique codes valid for a matter of minutes to serve the purpose of logging in to somewhere securely.
- Use your identity. This is ‘something you are’, or rather, something unique to you, like a fingerprint or your DNA. Biometrics are frequently used in high security environments.
- Use a little common sense. Imagine someone trying to guess a password. The obvious choices are 123456, abcdef, abc123 and qwerty. By incorporating numbers and capital letters into passwords, you decrease the risk of basic passwords being hacked.
- Protect your mobile devices. With cloud technology, we use multiple devices to access information from a single host. Remember to sign out and password-lock all the devices you use to access confidential information.
I believe that a bit of common sense and more diligence from IT managers in making sure employees and executives alike have a password policy will go a long way in reducing these internal threats to corporate networks.
Better still, make ‘two factor authentication’ a fact of life in your organisation and save money, secure your data and waste no more time.