Recently, the Hawaii Emergency Management Agency (HEMA) has been embarrassed twice by basic mistakes made by its staff. The first was to issue a public alert about a missile heading towards Hawaii which was supposed to have been an internal test, but the member of staff concern pressed the wrong button. We’ve all been there, but most of time silly mistakes like that do not have the potential to lead to mass panic.
The second mistake was more serious from the point-of-view of cybersecurity. HEMA invited the media for a tour of the office and photographs were taken and published, one of which showed a Post-It note stuck to a computer monitor with a password clearly visible. An astonishing breach of IT security.
Passwords are difficult to manage
We understand that people find password management hugely frustrating. In fact, we are running a Lunch and Learn webinar to go into the subject in more detail on 19 April.
Fundamentally we are rubbish at remembering our passwords – we have too many of them and are being asked to make them more complex all the time, so it is human nature to want to write it down. We know we are not supposed to do it, and we do it with the best intentions, but we still do it. If we were to walk into your office and look at your staffs’ desks, we would almost certainly find at least one with a note on top of or underneath a keyboard, stuck to a monitor, or inside the top drawer of the desk with a password on it. As with the Hawaiian example, the screen and keyboard are the number one places to find them.
One example closer to home is one of our law firm clients – every time the company changes a password, they have to tell the receptionist who keeps them in a book in her drawer, in case anyone is off sick. The client did not know that account access can be delegated which would mean less chance of a password falling into the wrong hands.
Nadine Dorries MP recently revealed that all her staff at the House of Commons, including interns, have her passwords. She went public with this as a non-repudiation defence of Damian Green; her point was that just because porn had been accessed on his computer, it did not necessarily mean it was him because of the number of people with access. However, the fact that this means they can neither prove his guilt or innocence is immaterial, as Green’s career is in tatters anyway. So you have to ask yourself, is your reputation worth the risk?
We did a GDPR presentation recently where we highlighted the fact that most people leave information out on their desks overnight. But you have got to ask a fundamental question about the office cleaners. Most people have no idea who they are and most have never even met them; they are typically low paid, transient workers employed through an outsourced agency, and do their job outside working hours, yet they are left alone in the office without supervision, and with unchecked access to files and potentially the systems.
If your company is to fully protect its password safety, we need to get to a position where people do not feel the need to write passwords down at all. One way to do this would be for technology to stop forcing us to change our passwords all the time, and not insist on complexity.
However, there are much better and safer technical solutions in the form of password manager software. It will automatically create complex and secure passwords at the same time as allowing you to log in to all your accounts across all devices without having to remember them.
Our MD will be discussing this technology in our lunchtime Password Management webinar on 19 April. Please feel free to sign up and watch – the lessons learned will help protect your business.