By Ray Zwiefelhofer, President, Worldox
You do not have to look far to read or hear of a major cybersecurity breach. It is becoming part of the constant information stream we receive. Because of this, it’s easy to desensitise and see this as IT’s problem. However, we all have a hand in preventing cyber security breaches and we all need to understand what we can do to help in this effort.
In late 2015 my colleagues and I were amused with the news that the US government’s Office of Personnel Management (OPM) was hacked, and that the hackers stole records for 22 million people. We discussed this casually without too much thought and concern – just another hack. A few days later I received a call from my son, who had recently graduated college and started a job. His mother and I had been references for his background check for the job and he was calling to let us know that all of our information was compromised in this latest OPM hack! Instantly my casual observation of “another hack” became really personal, really quickly.
Like my personal experience, your firm is probably feeling more pressure as increasingly major law firms are being hacked. The FBI calls law firms ‘soft targets’ – easier to gain access to than large corporations - and they often store their clients’ valuable information.
Who is the hacker?
When we think of a hacker, we assume we are dealing with a bad guy somewhere who is intent on gaining access to our valuable information. While this is correct, it gets a bit more confusing when we talk about the accomplices in this breach. A hacker can only get into your secure network through some type of vulnerability. Contrary to popular belief, internal staff members assist in most hacks. This, of course, is mostly unintentional.
Rather than expending countless resources on mass attacks against your network which, through proper IT practices, can be mitigated, hackers send innocuous-looking emails to your employees which are often harbouring links that install nefarious software on your network. If your organisation has poor password policies, the hacker gains entrance to your sensitive data with little fanfare, and probably will not be noticed by expensive back end monitoring software, until it’s too late.
All of us from the administrator to the end user, partner, and IT need to be actively involved in protecting the firm’s intellectual property. A user’s password written down on a sticky note taped to their monitor bypasses even the best security.
Convenience vs. Security
Even the best security products on the market can be rendered worthless if they are so complicated to use that users circumvent it – the concept of “Shadow IT.” Security measures must mitigate risk but yet also be straight-forward enough to understand that people can seamlessly include them in their workflow.
Very recently our IT manager explained to me that we need to shorten the timeframe of required password changes for all employees. I nearly lost my mind as we currently change every six months with all of the complexity requirements recommended! My answer to him was that, if we adopted this approach, many of our day to day staff would not be able to memorise their passwords and would be forced into bad practices such as writing them down, etc.
I challenged him to find an easier way to protect us that would be just as secure. I remembered our cloud support team utilised dual factor authentication along with their passwords to provide an added layer of security for that department. I suggested we do the same for everyone in our office including the day to day office workers. After a little research, we found a solution that was only a few dollars a month per employee and sent a code to their cell phone. This is really a better practice than complex passwords alone as, not only does a hacker need your employee’s password, but they would also need their phone and password for that.
In summary, we minimised the need for constant and overly complex password changes with two factor authentication.The above password issue just seems like common sense, doesn’t it?
“New NIST guidelines banish periodic password changes”
Yes you read that correct, NIST now recommends that we no longer force periodic password changes and we no longer should force complexity requirements. In the appendix in the same section of the document, the strength of “memorised secrets” is explored in a concise and accurate manner. You can read the full guidelines here.
While I don’t feel better about being vindicated to my IT Manager by a national standards body, it reemphasises that we live in an ever-changing environment where you need to use practical common sense when implementing security policies and procedures.
About our Guest Blogger
Founded in 1988, World Software Corporation® is an innovative leader in the Email and Document Management Systems (DMS) category. The company's flagship product Worldox® has an install base of over 6000 companies in 52 countries.