Passwords Will Die a Slow Death
Passwords might be the bane of your existence--those of your employees and your own. We're all supposed to keep dozens of unique passwords locked up tightly in our brains for easy recall. Heaven forbid we write them on a sticky note or keep them in our smartphones, and for good reason.
But as much as we hate passwords, hackers love them--it's their gateway to corporate data.
The Office of Personnel Management (OPM) knows this firsthand. In June, the OPM director revealed that the breach and theft of personal information on 20 million federal employees was the result of stolen passwords from a federal contractor. Stolen passwords were also responsible for the massive data breaches at Target and Anthem.
Following the investigation, OPM immediately limited the number of authorized users to its systems and added multi-factor authentication as an extra layer of defense. But the damage had already been done. The breach not only compromised its reputation and employees' digital safety, but it also cost millions of dollars to fix.
The password resets alone tallied more than $1 million. According to a new study by Forrester Research, password reset costs enterprises an average of $179 per employee. And the OPM has approximately 6,000 employees. You do the math.
A deluge of cases like these has led to a battle cry for the death of passwords. But like them or not, passwords are here to stay for the foreseeable future. Even Forrester acknowledges that passwords are too deeply embedded in today's complex distributed IT environments and relied upon in enterprise systems to go away anytime soon.
Instead, security teams need to assess and plan for how to coexist with passwords while simultaneously considering alternatives. A dual-pronged strategy will help security and risk professionals mitigate the risks of passwords and build a strategy that puts passwords on a path toward extinction.
Today, most enterprises appear to be on the right track. But according to Forrester's research, there are three areas of concern that need action.
For starters, most enterprises have agreed on a common password structure, but they're not strong enough. Survey data reveals that a majority of firms have adopted a consistent password policy for length, number of characters and frequency of change. However, given the continued sophistication of cyber attacks, security teams should revisit their current policy and consider strengthening it, especially for higher risk employees or apps.
Security teams must also look for ways to make password use and resets easier for employees. Passwords are still a major internal cost and drain on employee productivity. Security teams often struggle to manage password issues such as employee lockouts and forgotten passwords. At one large U.S. public university, for instance, users averaged 7,969 password resets a month, and almost half of users could not reset their own password! The costs and frequency of password issues are not decreasing, so IT must seek ways to make it faster and simpler.
Most security and risk professionals understand the cloud's security risks, yet they're not strengthening password requirements for SaaS and other cloud apps. The majority of firms surveyed by Forrester apply the same password policies for both on-premises and cloud apps--which improves consistency and employee experience, but increases risk.
Security teams can ease the password burden by deploying a variety of identity and access management (IAM) solutions, which can reduce helpdesk costs associated with password resets. Reducing call volume can improve service-level response for other helpdesk calls and save administrative costs by lowering headcount or reassigning staff to other critical projects.
On the user side, an IAM solution can increase employee productivity by automating the password-management process. One large UK logistics company identified over $1 million in annual savings by automating password-reset processes with a commercial IAM solution.
Perhaps most importantly, IAM solutions can help reduce the enterprise's risk of a data breach. When centralizing access to web applications through a single sign-on solution, for instance, enterprises can alleviate part of the risk by enforcing a strong initial authentication and then utilizing standards such as SAML to access other apps. Centralizing the authentication processes allows security teams to enforce a stronger single password that changes at fixed intervals, reducing the likelihood that users will keep bad password habits.
With renewed password processes and IAM solutions, employees can lose the sticky notes, delete the password list on their smartphones, and start protecting enterprise data intelligently.