Remember the scandalous Sony breach? Not only had Sony been warned about the use of weak passwords, but the electronics and entertainment giant also stored user passwordsin a file conveniently named “Password.” The file, which was hacked, contained employees’ personal data such as Social Security numbers.
Eighteen months after the Sony debacle, a new report from Verizon reveals “63% of confirmed data breaches involved weak, default or stolen passwords.” It is one of the findings in the 2016 Data Breach Investigations Report (DBIR), an annual security reported published by Verizon.
Either we’ve learned nothing or users and administrators are just lazy. Whichever the case, the Verizon report reminds us that proper password management is essential to good security. Sure passwords are inconvenient, but here what’s even more inconvenient: a major breach exposing employee human resources and medical records, customer data and intellectual property.
Work with Clients
MSPs need to work with clients on password management. As with most aspects of IT security, the solution involves technology and user training. User behavior, be it malice or just plain negligence, is responsible for most security breaches, so you can’t just throw technology at the problem.
Users must be conditioned, for instance, not to open suspicious emails that may contain phishes. Or taught not to share passwords. As a recent IT Governance blog points out: “After all, even the strongest password, if it becomes widely known, offers no barrier to access. If you share your information or reuse the same credentials to sign into numerous accounts, a single data breach will jeopardize the security of all of them.”
It takes one “lazy user,” as the blog’s author puts it, to cause a massive corporate data breach. So addressing user behavior in relation to passwords, and security in general, is paramount.
Beyond user training, MSPs should be adding identity management and single sign-on (SSO) solutions to their offerings. Users hate passwords not just because passwords are complicated but also because people are required to remember too many of them. Who can remember 20 passwords, for crying out loud? Yet, that’s pretty much the average.
That’s why SSO and identity management solutions that require users to memorize a single password are very attractive. To further strengthen authentication procedures, MSPs should also offer two-factor authentication solutions to clients so that passwords are backed by a second authentication method when users log on to assets containing sensitive data.
Passwords may be a pain, but the potential consequences of shoddy password management can hurt even more. It’s up to you to make sure your customers understand this.