Sascha Salzner, Marketing Manager, APIIDA AG
In the age of digital transformation the topic „IT security“ is one of the most important for companies. Many hacker attacks on firms as well as on persons of the public life have nowadays also sensitized the employees. That’s how it should be. But is it like that? The experiences of different companies always point up that it’s not like it should be. IT security is not important enough for every employee. The following facts explain why.
Finding facts: complicated password guidelines weaken the IT security
A producing company with more than 600 employees, 200 of them in the office, had a daily fight with the IT security. It started already every morning turning on the computers showing up the demand to enter the username and the password. Not always everybody remembered the password. But luckily in case of that almost everybody had noticed the password somewhere on a post-it. A post-it on the back of their keyboard. Or in the first drawer of their pedestals. Or even on a post-it on their screen. Often just in case they also forgot where they put this very important post-it they could ask their colleagues around, because surely someone would remember where.
After finally entering the password for some employees the notification shows up „Your password expired. Please generate a new one.“ That’s the moment the user freaks out. A declaration of war to the IT. Because it’s much too pesky to generate a new password which is long enough, extremely secure and easy to remember, before they can start the daily business. So what happens is, they just change the last number of the old password and they continue doing so until they end up with 25 or 30 until they can finally use number 1 again. The next obstacle is to log into the ERP system. It’s not too bad, because the most of the employees use the same password as to start their computers. But now the two passwords are different because the duration of the password for the ERP is different from the one of the system. What a disaster.
Realisation: Much too complicated password guidelines weaken the IT security more than they strengthen the security of the systems. Users are bored of being busy with guidelines instead of just doing their jobs.
This practical example ist not a rare one: Another bizarre situation happened in an open-plan office with 25 people of a company with overall 15.000 employees worldwide. Now and then the staff was shouting passwords to another to unlock the computer of a colleague to have a quick look at some details, to check the possibilities for lunch or whatever. The IT specialist, sitting also in this open-plan office, was getting really angry about that sometimes. Because he had to experience those scenarios almost weekly.
So do you still think employees are sensitized to be careful with their passwords because of hacker attacks? Not really. Perhaps the users consider the security aspects in their private life. For users in companies nothing changed. And that’s what you hear also from colleagues, friends and family. So you can imagine what’s the trouble. The result is that the users blame the IT security and complicate guidelines for their own low productivity.
Studies confirm this assessments. Low self confidence, laziness, but also carelessness and naivety are the causes. Some other studies demonstrate that 90% of the secure problems are caused in too weak passwords (source: „Beherrschbarkeit von Cyber Security, Big Data und Cloud Computing: Tagungsband zur dritten EIT ICT Labs-Konferenz zur IT-Sicherheit“.) People prefer simple solutions and don’t want to use highly complex procedures. That’s the reason why users don’t make „logical“ decisions to support the IT security, in the eyes of an IT specialist.
Optimizing IT security
So the question is how the security teams should change the procedures to make it more comfortable and find a balance between security and usability. Should they change it? Make it more simple to increase the productivity of the employees? A good point to optimize those scenarios could be to choose other options for the identityand access management like multi-factor authentications (like APIIDA Mobile Authentication) or single-sign-on (like APIIDA Intelligent SSO). Those systems take your IT security to another level. And their seem to be more „fashion like“ and users love it because of the simplicity.
With solutions like APIIDA Mobile Authentication you hit the nail on the head:
APIIDA Mobile Authentication uses the smartphone for the 2 factor authentication. The system uses an authentication based on certificates, an authentication with username and password, pin or finger print. The connection between smartphone and client is possible via a secure bluetooth connection and doesn’t need an internet connection. That means the log in is possible from everywhere. On top of every advantage to use a smartphone is a common practice nowadays and you can sign in easily via app.
Last but not least every employee should get a IT security training to be aware of the addressed problems. And the IT security team should always be in close contact with the users to understand their worries and daily workflows better.
Companies need to find the right balance between IT security and usability. It should be the goal to keep a proper IT security which every user lives in peace with. No more wars between IT and other employees because you keep it simple and easy to understand.