Home » Business » Corporate

Passwords Don't Have To Threaten Business Security

Aug 25, 2008
The emergence of the World Wide Web as a global, around the clock marketplace has opened a multitude of new opportunities to businesses which have never before been seen. Computers and global communication networks have brought vendors, customers and markets together in new and beneficial ways. Along with all of the benefits which business has gained from the information age come some downsides. New crimes have not been created by new technology, but rather new technology has given new tools to criminals to commit the same crimes as they always have. The difference is that criminals now have a global reach, just as businesses do. In the U.S. at least, the responsibility for protecting consumers from having their personal information pilfered is placed upon businesses.

While some will blame the computer itself for crimes involving identity theft, it is usually not the computer but rather the way in which the victim has made use of it which is at issue. Their lack of attention to network and computer security has offered access to criminals - right into their home or business. After all, if we never lock our doors, would we blame the contractor who built our home for a burglary? In a corporate environment, it is typically employees, including IT staff who are really at fault.

About 70% of data breaches at businesses can be laid at the feet of people within the company. Employees using weak passwords or making the egregious mistake of writing down their passwords in plain view allow unscrupulous employees and others easy access to company information. Employees know that the quickest way to find a password is to sit at someone's desk; quite often, employees will tape passwords on notes on the monitor, to the desk (or underneath it) or in desk drawers, often simply labeled "passwords" or worse yet, on the desktop of their computer in an unencrypted document. Keep in mind that if a security breach happens through the use of a legitimate user name and password, it is very difficult for your IT staff to catch. Poor password management on the part of your employees can give criminals complete access to sensitive corporate data.

IT departments try to reduce the risk of data breaches through the implementation of stronger security policies. There are six basic rules of password security which they commonly use. These are:

LENGTH - Passwords should always be at least eight characters long. The longer, the better as long as you can remember your password.
RANDOMNESS - A password should be difficult to guess. Use combinations of numbers and letters; words, dates and so on.
COMPLEXITY - Employ a mix of numbers, punctuation marks and lower and uppercase letters in your passwords.
UNIQUENESS - Use a unique password for each user account.
ROTATION - Passwords should be changed every two to three months.
MANAGEMENT - Never let anyone see your password. And never, ever write it down.

The conflict which is going here is between IT departments and other employees. As IT departments make security measures more complex and difficult for employees, they use weaker security habits to increase the ease of access for themselves. Employees will nearly always forgo security for the sake of convenience.

One way to avoid this conflict is to adopt token based password management. These sorts of systems include:

Security:
o PIN protected smartcards which lock data after a predetermined number of failed attempts at access.
o Passwords are never stored in computers, where hackers and snoopers can find and use them.
o Passwords can be as long as 20 characters, with all 96 possible characters on the keyboard being available to use.
o Each website, encrypted file and network can (and should) have its own unique, complex.
o Since your passwords are never typed in, a keylogger cannot record them.
o The card can be encrypted so that only the software used to manage the cards can access the data on them.

Convenience:
o The management system for these cards can handle logins for different accounts, files, applications and networks.
o The management system can launch a web browser, navigate to the appropriate login page and take care of authentication, all with a double click.
o Users never have to remember (or type)passwords.
o Users will have their passwords on them at all times.
o These cards can be carried in a wallet or even used as an employee ID badge.
o Passwords will not be written or stored where they can be found.
o Cards can store over 100 different passwords and their associated account information
o Login sites are saved to the card.

Portability:
o Passwords are available to users at any workstation once their smartcard is inserted.
o The card can be used in the office or at home or from another remote location. These sorts of smartcards are great for students and others as well.
o Smartcards are ideal for employees who work remotely but need secure access to the company network.

It takes more than just a password to make your network secure, but with the use of security tokens, passwords are no longer the weakest link in a company's security scheme. Tokens have been developed by security companies for a variety of different applications - companies can evaluate these offerings on the basis of form, usability, the amount of modifications which will be required in their infrastructure, ease of installation and of course, cost. Some smartcards offer advances security but also mean that a lot of back-end server work must be done in order to implement them. Others are easy to set up and use, but are a risk if they are lost or stolen.

Business owners are required by the Privacy Protection Act to keep customer data secure. While no one security measure can provide total security, proper password management should be part of every company's overall security strategy.

"May your data be secure and your identity be your own."
About the Author
Dovell Bonnett is the author of "Online Identity Theft Protection For Dummies(R) - Power LogOn Edition", founder & CEO of Access Smart (http://www.access-smart.com) and the host of http://www.IDProtectionExpert.com. He provides security solutions to businesses, campuses, and mobile employees.
Rating:
Please Rate:
(Average: Not rated)
Views: 301
Print Email Report Share
Article Categories