Strong Leaders Don’t Have Strong Passwords
by Steven Hope, CEO of Authlogics
Many business leaders have had a rough ride over the past two years. However, the corporate world can be an unforgiving environment, global pandemic or not. We live and work in an increasingly litigious world and any indication of wrongdoing or malpractice (intentional or otherwise), runs the risk of costly and consuming legal action. Such action isn’t restricted to the aggrieved or the opportunist but regulators wanting to show they have the bite to match their bark.
The end of May 2022 marks four years since GDPR was enshrined in law and although the UK is no longer part of the EU, it still has the UK GDPR. With so much publicity, years before and after GDPR coming into force, it is reasonable to suspect that there are few board meetings taking place that do not raise issues of data protection, compliance, privacy, and security on their agendas.
Looking at the picture painted by official statistics published in March, by the UK government’s Department for Digital, Culture, Media & Sport in its Cyber Security Breaches Survey 2022, it would at first glance appear that issues of cyber security are being taken seriously at board level.
The report states that approximately four in five (82%) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority. What’s more a growing number of businesses (although still only 34%) have cyber security as part of their job. More good news is that 50% of businesses are updating the board on cyber security matters at least quarterly, with this rising to 80% for larger organisations.
However, the finding of a new survey conducted by NordPass has been making waves by suggesting C-level executives may not be taking matters as seriously when it comes to their own conduct. The research reveals that the top passwords being used are 123456, password, and 123456789, as well as a range of names, animals and mythical creatures. The same type of ‘simple’ passwords that many people use in their day-to-day life.
Now, I would not suggest that strong leadership requires strong passwords, as I have long argued that strong passwords are simply more complicated to remember than they are to hack; what is making it ‘strong’ exactly? We should not be too surprised, after all executives are just people prone to the same behaviours as everyone else, naturally gravitating to convenience in their live to work lifestyles. However, it also appears to be the case that business leaders are aware of their own shortcomings when it comes to password best practice, with Pulse and Hitatchi ID revealing that 94% of leaders are aware of the need for password training.
The Information Commissioners Office (ICO) is charged with policing the UK GDPR and it has made it crystal clear from day one that it requires organisations to not only be accountable, by being not only responsible for compliance, but they must also be able to demonstrate it. It would be extremely hard for a director (it is they who will ultimately carry the can) to swear under oath that 123456 is a satisfactory password, especially to safeguard the type of information that a C-level executive would typically have access to. Furthermore, there is also the acknowledgement that a leader within an organisation is an obvious target.
The good news is that fixing the password problem from the board to the bottom, to establish and maintain demonstrable compliance, does not require a difficult knock on the door of the boss. The first step is to understand the current susceptibility of your organisation and that begins with a password breach audit. It is a free service that within minutes will determine which accounts (active and dormant) within the domain have been breached. Do this and you are on course to demonstrating a process for compliance adherence. Armed with these insights immediate remedial company-wide action can be taken to close any breaches, using Password Security Management (PSM). These systems ensure every password adheres to best practice as dictated by NIST 800-638 (National Institute of Standards and Technology) a US government agency that is widely regarded as the trusted authority on password policy, and that they stay that way.
The latest DBIR (Data Breach Investigations Report) published in May by Verizon, suggests that 82% of data breaches involve a human element. This echoes other findings that 80% of breaches are caused by weak, stolen, or reused passwords. So, the exposure and risk of having anyone within an organisation, let alone its leaders, creating an easily exploitable vulnerability is high. The penalty, whether in the form of the eye-watering fines the ICO has at its disposal, or the financial and reputational harm it can do to the profitability and reputation of the business can be hugely damaging. If you think multifactor authentication (MFA) will say the day, think again. Despite the increased adoption of MFA, so too has the number of passwords being used- along with the number of password-based attacks.
Business has been tough enough, why make it any tougher than it needs to be, by exposing the company to such unnecessary risk?