Call me back

Who are you?

It seems like a simple enough question until you start to break it down.

Are you the same person at work as you are at home?

How do other people know it’s really you when you text or email them?

You may have heard of the word ‘fraped’, where a friend has posted something up on Facebook pretending to be you (usually something funny) for everyone to see. But what if they couldn’t tell it was not a genuine post? What if someone had stolen your identity? The reason I mention Facebook is because it was referenced by former conman turned FBI security expert, Frank Abagnale, as being a weak point ideal for hackers stealing people’s identity.

Why is this? Passwords are the problem. Well, let me rephrase that, it’s actually people who are the problem. For those of us working in IT and managing ordinary people’s use of technology, the single point of failure is the person behind the keyboard. (It’s nothing personal, I love my customers and users!)

The problem with passwords

Typically, up to 20% of calls to service desks are related to passwords, which is a lot of valuable time an IT department could be spending adding better value to the company.

Even though passwords are quickly reset, any help desk or desk-side technician will simply have used a password from a list of ready-made ones, such as M@y2015 or Password*1, both of which will fulfil the basic requirements for an 8 character – 1 uppercase, 1 special and 1 number – password, because that is about as complex as out-of-the-box Windows password settings get.

If you combine that with the fact that people have multiple identities – innumerable logins for any number of personal services from banking, tax affairs, household bills, let alone work passwords – you can see how a person can fall back on simple, easy to use passwords. In many cases, it’s probably just the one password, used for every service and/or system they use.

Vulnerabilities from poor password management

Which brings us back to Facebook. If you are an identity thief, chances are that if you can break someone’s Facebook identity or, for that matter, another popular service such as Amazon, you will have the keys to the kingdom. Working back from a single identity, a hacker can then get to work cracking access to other systems and in no time, they have access to information such as birth dates, address details and bank information. Basically, all they need to carry out theft of money and information.

From an IT company perspective, we tend to focus on external threats, endpoint protection, firewalls etc. However, the same challenges can apply within the workplace, with multiple identities existing on shared services or corporate accounts for Facebook and other digital marketing entities.

Multiple identities in the workplace

It is common practice for employees to be using many different passwords under the one company. Often, there is a separate login for the finance system due to the payroll being outsourced and accessed via the cloud. Then there is the time and attendance system, the company Facebook account, website logins, numerous databases… I could go on. It quickly adds up to a rather burdensome number of passwords to retain and – people being people – they end up taking the same approach to multiple work identities as they do to their personal ones.

Imagine all that company information, including personally identifiable information (and all the General Data Protection Regulation (GDPR) implications involved) being secured by Password1*.

What can IT departments do?

There are a couple of answers to this question. We might, if we are considerate to our customers and stakeholders, put in place Single Sign-On, particularly if we are using cloud services. Single Sign-On (SSO) allows various identities to be federated to a single, cloud-based identity.
This means that if an application or service supports the standards for SSO – such as OAuth or OpenID – a single login, verified once, can be used to access multiple systems.

A common example of this is the various online services now offering the ability to use a Facebook login instead of creating a new user account. This federation of different services to a single identity is a useful way for IT departments to reduce identity overload for their users, who then only need to remember one login ID, usually their email address and one password.

The vulnerability in SSOs

But, what if that password is Password1*? Calamity! The answer ultimately is to get rid of passwords altogether and move to biometric solutions, such as Windows Hello or fingerprint scanners. However, in the real world, access to these kinds of technologies is limited and expensive, particularly for SMEs.

What’s the answer? Bring in an additional factor of identity authentication. 2 Factor (2FA) or Multifactor Authentication (MFA) allows you to ensure that access to critical systems is not wholly reliant on just a password. 2FA or MFA solutions, such as those included in Microsoft Office 365/Azure cloud solutions or Sophos Firewall/VPN access typically offer additional verification based on SMS text or via an Android or IOS app.

Users are forced to register, on a one-time basis, when logging in to the network. Their phone and other details are then used for secondary authentication. IT departments can then enforce this additional factor when people log in. Usually, this is used only for external access, but you may also have internal vendor staff for whom you want to enforce this as well.

Make users aware of the dangers

What is the takeaway on all of this? If you want to raise security awareness within your company, start by some simple show and tells on how to secure people’s personal information. The great thing about 2FA and MFA is that these services are already available for ordinary users of services such as Facebook, Google, and Microsoft. Once people see how vulnerable their own information is, and how it can be secured, applying this to company information is an easier conversation!

Did you know that we provide identity management solutions? With Microsoft Enterprise Mobility and Security you can ensure your sensitive data is secure no matter where your teams are working from. Contact us here for a more comprehensive discussion about this security solution with one of our experts.