Organisations’ IT departments should ensure users use authorised devices to access company systems.
By MERCY NJUE
Company information systems contain confidential information that could include trade secrets, financial information, employee information, forecasts and competitive analysis within the industry. The bigger the organisation, the higher the security risk. Large organisations contain information stored in multiple databases for the respective units, departments and branches. Information is processed, accessed and stored at different levels of the organisation and at different departments. Each system has a password and rights allocation matrixes, that is, individually assigned with read and/or write rights.
Passwords provide an authentication gateway which can be detrimental if exposed to internal or external intruders.
Common user pitfalls
Password re-use: This is normally one of the most common user mistakes. Users tend to use the same password for the same systems every time they are asked to reset. A good example is using similar variations of the password such as Kenyafb for facebook, kenyatw for twitter. Once the user knows several passwords, it is easy to decipher the rest, as a pattern has been established.
Spyware and phishing:Different items online can be used as bait to install spyware such as a pop up screen with the following message; “kill the cockroach moving on the screen.” At times, attachments with executable files are sent to users, or links that may be used as bait. Some spyware may be used to “listen” and detect the keys typed when keying in a password, and the details sent discreetly behind the scenes.
Automatically saving passwords:Users are at times prompted to save passwords by certain applications such as Mozilla, Google Chrome, just to name a few. While it may be a good idea, it may pose a security threat. Certain addons or plug-ins may be installed by the user unknowingly, and could turn out to be spyware, resulting in detrimental security incidents.
Password sharing: Many a times, users tend to share passwords out of trust and convenience. Passwords could be shared among friends, family members or colleagues at work. Passwords that could expose an organisation’s information, or personal information should not be shared, as security of the device they are using to access the system is not assured and may pose as a security risk.
Every year, SplashData compiles a list of the millions of stolen passwords made public throughout the last 12 months, then sorts them in order of popularity. The most commonly used passwords are variations of number one to ten, such as 123456,1234567, qwerty and variations of “password”. This means that users who use these passwords expose themselves as well as the institution to a certain level of risk. Others tend to use their names, phone number, ID number, year of birth and the names of their children as passwords. Due to social media, it is easy to mine this kind of bio data.
Some of the counter mechanisms to user related security breaches, are: password encryption, data encryption on devices, implementation of strong password policy that make it compulsory for the password to have numbers, symbols and capital letters.
The policy should also not allow the use of bio data associated with the user and should have an expiry period that varies within different user groups depending on confidentiality of the data accessed. The policy can be implemented using the authentication system used by the organisation. Organisations’ IT departments should ensure users use authorised devices to access the systems, and that the systems have a working, licensed and updated antivirus according to the security policy of the institution.