Posted on August 12, 2016 by kellyk
Everybody knows the story.
A colleague wrote his password down and left it stuck to his cubicle wall. Or chose a password so basic that a child could guess it.
And unsurprisingly, his account was compromised. Bad news for him, bad news for his employer.
But the fact is that in many organizations, employees simply aren’t interested in security. At least, not until something goes wrong.
Of course, this is a recipe for disaster.
So how can we as IT professionals convince employees to care about their accounts? What can we do to make their lives easier, instead of constantly reminding them to change their passwords once per month?
The #1 Rule of Identity Management Training
You can teach employees how to choose good passwords, or to not leave themselves logged in. You can implore them to not write their passwords down and stick them to their monitors.
But ultimately, there’s one lesson above all others that must be conveyed: Teach them to own their identity.
When it comes down to it, data breaches aren’t only bad for organizations. Just ask the Sony employees who received personal threats after the company’s hugely embarrassing breach in November 2014.
Convincing your employees to take responsibility for their own identities is easily the most secure approach to identity management, both for them and for the organization. Even now, many security awareness training programs make the initial assumption that employees simply don’t care, but never give them the opportunity to change their mindset.
Instead, they focus on the actions employees must take in order for the organization to remain compliant.
But modern people are used to managing their identities. They do it all the time in their private lives, and if you can convince them to buy into the process, you’ll be giving them knowledge and tactics that will keep them safe both in and out of work. Nobody wants to have their identity stolen, so if you take the time to develop useful and relatable identity management training, your employees are far more likely to take the subject seriously.
Ownership Changes Behavior
It’s no secret that many employees choose terrible passwords. Organizations do their best to mitigate this by disallowing common weak passwords and including syntax requirements, but it happens all the same.
But in reality, most of the time this isn’t a problem. The real issue comes when bad passwords are combined with compromising security behaviors.
The best password in the world won’t save an employee who persistently leaves their terminal logged in when they leave at night. Equally, if you require employees to update their password monthly, you’ll probably find that they change only a single character, and eventually that will catch up with you.
The real value of instilling ownership in your employees is that most compromising security behaviors are the result of apathy. If your employees are engaged and have the tools and training they need to engage in sensible security behaviors, you’ll have far fewer weak points.
Of course, you do still have to provide the tools and training.
After making sure your employees understand the need for ownership, and specifically how it benefits them, your identity management training program must cover the basic behaviors that should underpin their daily work. For instance:
Choosing Secure Passwords
When most people think about identity management, passwords are the first thing they consider.
And with good reason. Strong passwords, coupled with sensible behaviors, will keep the vast majority of employees out of trouble.
There’s just one problem.
Most employees have no idea what constitutes a strong password, and the attempts of many organizations to enforce password criteria are counterproductive. Why? Because passwords that must (for example) be between six and fifteen digits, and include upper and lower case letters, numbers, and symbols are difficult to remember. As a result, many employees choose to write their passwords down and stick them to their monitors.
This is a prime example of a security policy that actively encourages poor security behavior.
So how, then, should employees be taught to choose passwords? Amazingly this topic is rarely covered by training programs but is clearly essential if employees are expected to take any responsibility for their own identities.
Let’s start with the basics. From a traditional security standpoint, there are two main concerns where password selection is concerned:
But these are not the concerns of the average employee. In fact, an employee’s main concern is whether they’ll be able to remember a password, not whether someone else might be able to access their account.
But the thing is, it is easy to reconcile the concerns of both employees and security professionals… it’s just that most organizations go about it in the wrong way.
Longer passwords containing only lowercase letters are actually much harder to brute force than shorter but more complex passwords.
For instance, let’s look at the password b6&%dHnvdu. Most people would consider this to be a highly secure password, but it’s certainly not easy to remember.
But worse, Conficker, one of the most prolific botnets, could crack it in approximately two hours.
Comparatively, choosingstrongpasswordsiseasy would take the same botnet around 300 years to crack, even though it’s structure is very simple. And let’s face it, it’s much easier to remember than our previous example.
Go the extra mile with MyNewPasswordIs100%Secure! and even the world’s fastest supercomputer would take 1,468 centuries to brute force its way into your account.
Clearly, this is not simply a training issue, but also a network management decision. But given that these passphrases are both easier to remember and more secure, it does seem something of a no-brainer.
In our opinion, teaching users to select strong, easily remembered passwords is not just a good idea, it’s your organization’s duty.
Password Recovery Woes
Of course, it really doesn’t matter how good a password is if it can be easily stolen or changed using your organization’s password recovery facility.
If a password can be recovered using low-quality Q&As such as ‘What is your maiden name?’ or ‘What was the name of your primary school?’, you’re just begging for trouble.
This is predominantly a network management issue, as these basic questions should never be available for users to select, but there is an identity management training consideration as well. Your organization is almost certainly not equipped to know which questions will be most secure for each employee. Some people are more open with their information than others, and it’s important that each employee selects the most secure recovery questions for them.
So don’t let all that password security training go to waste: train your employees to consider security at every stage of the authentication process.
What Do You Want From This?
Many organizations never seem to ask themselves what they’re trying to achieve with their security awareness training. This is doubly true when it comes to identity management.
From the outside, it looks as though most organizations are playing the authoritarian role, forcing their employees into certain behaviors that make it possible to survive compliance checks. But is that really the best option?
We think not.
So if what you really want is to help your employees take responsibility for their own digital safety, we’d love to help. At TraceSecurity we offer comprehensive training, including identity management and password safety, that’s designed to help employees understand and engage with your security program.
Check out other posts in this series:
Want to increase security awareness among your staff and meet compliance regulations? TraceSecurity information security analysts will work with your organization to design an efficient and effective training program.