Does our behaviour jeopardise our corporate security?
Nowadays, the core asset of a business is its information (documentation on intellectual
property, client list, price matrix, manufacturing processes, organisational chart). The lack of confidentiality, integrity of such information, or its unavailability, could drive away the trust which shareholders and stakeholders have placed in the business which, ultimately, will go bankrupt. It is therefore crucial to properly protect the access to this information. Although most of the companies are currently aware of this fact and enforce policies and procedures to achieve an adequate level of security, it appears that individual behaviour can also significantly impact on our corporate environment. This article focuses only on the access control part. When browsing the web, we realise that we are lured by the majority of websites, and especially those of banks, that oversell maximum security measures only by displaying a small padlock symbol in our favourite browser. The problem resides not necessarily in the confidentiality of this connection but in its authentication which is the keystone for accessing our profiles and data. I, personally, have a list of about a hundred websites (for private use only) where credentials are needed for different types of use. The task becomes complicated very quickly, for how can I manage this amount of data I am supposed to remember? The access to those websites is however facilitated: none of them has a regular password change policy in place and most of them do not even have a proper minimum security policy (i.e. mandatory use of a combination of a minimum number of alphanumeric characters with different case and special characters). The management of this information reveals three distinctive behaviours: The innocent: namely, those who have the same password for all websites. It certainly has the merit of being a simple, easy to remember and very convenient approach. However, the major problem, of course, is if a website is vulnerable and this unique password is revealed, then all websites where the same password was used are compromised as well. Obviously, the weakest link principle applies very well here and the probability of compromise is multiplied. The logical: they use a different password for each website but with a logical system which allows them to remember all passwords easily. However, the problem arises when one or two passwords have been compromised. The logic used to create these passwords can be deduced to find the other ones or, at least, significantly reduce the number of possible combinations to retrieve the password of a particular website. The paranoid: they use a different password for each website, and there is no logical system to deduce one from the others. This solution, advocated by any security professional, is very difficult to implement due to the complex processes of memorisation it entails. There are software programmes that allow the storage of those passwords, but this solution greatly reduces ones mobility (e.g. the use of the same application through different platforms such as laptops, tablets, smart phones etc.). However, another dimension, which is the regular change of passwords, should not be overlooked. There is distinctiveness among the hundred or so websites where I have an account, and I do not remember any of them having implemented a policy for password expiration, which is just as important as its complexity. Indeed, any password, even complex, will be revealed over time by successive attempts involving all possible choices until successful. An expiration policy avoids this type of problem.
Nevertheless, if the hundred websites forced me to change my passwords every three
months for example, it will take me, approximately 500 min (8h 20min) to change all of them considering that five minutes per site are necessary to change a password, and this four times a year, independently of the three behaviours mentioned above. So we can ask ourselves if any of these passwords are actually changed by each of us, especially considering that, on most of these websites, we do not have critical data. It can be argued that all this is obviously the responsibility of every one of us and has no impact on other than the person concerned. However, we cannot separate the behaviour of individuals in their private and professional life. Hence, in spite of sophisticated password policies in the corporate world, the innocent and logic behaviours seem most likely to prevail. In this case, we see that the combination of our behaviour and private accounts outside the company has an impact and weakens the security policy of passwords no matter which way it is implemented. At work, however, there are mitigating mechanisms as blocking or temporary suspend accounts after a certain number of failed attempts but no all services have this feature. Therefore it seems that, in the short-term, developers of private websites should be made aware of the vulnerability risk they pose to their customers/users and be encouraged to implement a more rigorous policy or alternative technologies for authentication than the traditional password access. But what would be the return on investment for those websites that provide free services such as social websites and free webmail? In addition, do our businesses need also to invest, also in the short term, in alternative solutions to prevent the transposition in the working environment of behaviours which weaken the access to their data?