A few days ago I wrote about a recent survey which found employees would be willing to sell their passwords. However, it now seems to be about giving them away for free, by broadcasting them to the nation, in what turned out to be perhaps one of the most ironic television interviews of the year.
You may recall that the French broadcaster TV5Monde was the subject of a major hack, thought to be orchestrated by Islamic State supporters, which caused the station to stop broadcasting for over three hours. But, in what turned out to be an embarrassing interview with a reporter to discuss the incident, a representative from the station could be seen standing in-front of a wall plastered with notes revealing the passwords to accounts such as the station’s Instagram, Twitter and YouTube channels.
Of course, accidentally broadcasting passwords is very different from an employee selling them, but the fact that they were placed on the wall in the first place highlights the theme that employees do not see significance of sharing and disclosing passwords, even when an organisation is in the midst of recovering from a severe cyber-attack. Secondly, the only reason that the passwords would have posted on the wall in the first place was clearly for convenience and ease-of-use, as it means no-one needs to remember them.
The problem with passwords (well one of them) is the fact the for most people they are perceived to be a barrier that is in the way of them getting to where they want to go, and not an intrinsic and important security measure. So, it is inevitable that employees will look to find ways to make the barrier smaller, whether it is posting on the wall, displaying them on a post-it stuck to the monitor, or making them as easy to remember as possible.
So, to counteract this behaviour you need to educate employees as to the importance of security, whether it is accessing the corporate network or the Twitter account. After all in the eyes of the media a data breach is a data breach. Realistically, a hacker is unlikely to do much damage by gaining access to a social network account, but the fallout and reputational impact can be immense and hard to recover from.
Furthermore, you need to look at the password as a tool and ask, if people find them difficult to remember and how can we make it easier? Or, could we do without them altogether? Yes, this contradicts many calls to make passwords stronger and more complex, but that has been said for many years now and it isn’t working.
The time has come for a new approach that makes it easy for employees to play their part in keeping the organisation secure by removing the burden of remembering a password. For more information check out PINgrid.
You can read the full TV5Monde story and see the pictures (passwords have been obscured) at: http://www.independent.co.uk/life-style/gadgets-and-tech/news/tv5monde-hack-staff-accidentally-show-passwords-in-report-about-huge-cyberattack-10168475.html
Author: Alissa Lang, Winfrasoft