It's strange how the network security policies in place at a company can actually damage, rather than enhance their security. Security measures which are too stringent can lead to employees going around security for convenience's sake. Employees can actually create security vulnerabilities which your IT department may not be able to protect against; because they may be unaware that they exist!
Not long ago, I spoke with the business director of a large company (I'll call her Susan). Her company's IT department requires employee passwords for their network be at least eight characters in length and be comprised of a random mix of letters, symbols and numbers. She also must change her passwords every sixty days. While Susan goes along with the security policies put in place by her IT department, if you were to walk into her office, she has her logon password written right there on her desk - "Password: 1jy^hndT".
The work environment in many companies these days involves understaffing, tight deadlines and long workdays. When you add yet another complication into the lives of already overworked employees, it is only natural that they choose convenience over security. You see everyone doing this; from the CEO on down to the temps. While it sounds like a good idea to have employees remember complex passwords, what happens in practice is that it slows things down and leads to security being circumvented.
The real problem isn't the security policy; it's actually a very sound one - it's the way that it is implemented which makes it a problem. IT departments are prone to ignoring the human factor when they design security policies. Most people can't remember two complex passwords; and many can't even remember one! By making employees change their passwords every two to three months, they further complicate the situation and practically force employees to engage in insecure
This gives management a false sense of security when it comes to network security, since they don't even know where to look for potential problems. Let's say that someone copies down Susan's password and logs in as her - the network monitoring software simply accepts as fact that she is working at 3 am. These security systems will not be able to prevent these attacks until the damage has already been done.
Password security which does not offer convenient implementation is not something which comes without a cost. Resetting passwords can take anywhere from 20% to 50 % of an IT departments time - this translates into about $70/incident. This time and money could be better used by your IT department. There are other costs; lost productivity when employees are unable to access the network.
A rule of thumb to keep in mind is that the greater the level of password security without a convenient management system in place, the more often you'll need to do password resets. Smartcard security tokens offer a solution which balances productivity, security and technical support.
Smartcard based security tokens allow employees to manage network and computer security themselves without compromising the security of your corporate network. They do this by:
1. Offering double, two factor authentication - the user has the card (something they have) and the PIN (something they know). The computer has the card (something it has) and stored complex passwords (something it knows).
2. Being portable to other machines.
3. Having no information is stored on the computer for prying eyes to find and use.
4. Convenience - the user only needs one password.
5. Employees always have possession of their passwords.
6. Token data is securely stored and protected in the event that the token is stolen or lost.
7. The token can store passwords for many accounts.
Smartcard based security tokens prevent data thieves from merely looking over someone's shoulder to learn passwords or look for notes taped to desks or inside drawers bearing this information. If each account is set with its own unique password, even if a data thief somehow gets one password, all other accounts are still protected. Smartcard based security tokens allow employees to stay within IT security policies and keep corporate networks better protected while offering the convenience employees want and need. This can make even the most careless employee a security conscious one.
Dovell Bonnett is the author of "Online Identity Theft Protection For Dummies(R) - Power LogOn Edition", founder & CEO of Access Smart and hosts IDProtectionExpert.com. He provides businesses, campuses, and mobile employees security solutions.
