Passwords. We all love to hate them. And while some technology companies, like Microsoft, Google and Apple are working hard to rid the world of passwords, this standard method of authentication isn’t going away anytime soon.
Passwords are a vital part of the security posture for most companies, yet they are fraught with risk. Our 2017 MarketPulse Survey found that 37 percent of the respondents cited password hygiene as a major factor in their organization’s risk. This includes employees either sharing passwords across multiple accounts and systems, not regularly updating or changing their password or simply not adhering to the password management policies set by the organization.
Many organizations are investing tens of thousands of dollars in mandatory, end-user security training. Cybersecurity Ventures estimates that the market for security awareness training could reach $10B by 2027. As part of this training, users are taught best practices for creating and maintaining strong passwords, and not share personal information that can be used to hack security questions.
And yet, passwords are so abundant in everyday life. We use them for business, for personal computing, on our various devices and with all types of vendors and applications. This surplus of authentication is actually creating a larger vector to compromise business.
This is the fundamental reason for attempting to get rid of passwords. Biometrics, single-use codes, facial recognition – all of these provide a much more personal process for authenticating that is harder to hack or forget. While these may be harder to compromise, these technologies can be expensive and difficult to support – which is likely why we haven’t seen mass adoption in the enterprise.
All of the training and personalized authenticators are good elements in your security strategy, but they all fail to take into account the biggest factor of all: user behavior.
It should be said that most employees are not intentionally putting their organization at risk. In fact, it’s a good bet that most employees want to be, and believe they are, good security stewards. First, because their information is also at risk, but many others just don’t want the hassle of dealing with IT if something goes wrong. In any event, the password problem doesn’t exist because employees are malicious or – given the amount of training reference above – even uninformed. The password problem stems from ineffective processes that delay or prevent users from getting work done.
So how do you change user behavior?
Make it advantageous…to them. Win over your users on password security by making it easy for them to do their jobs in the way that works best for them. Capabilities such as self-service password reset and management mean your users are in control – while still allowing IT to manage the corporate policies. They aren’t hindered or delayed waiting for the helpdesk to unlock their system or help get access to their applications. They can work wherever and however they need – and still have control over access.
Make it easy. Make security a part of their daily life. Integrate security practices into the processes and motions they already engage in. This way it’s not another item on their to-do list – it’s the way the items on the to-do list get done.
Putting trust in your users can be tough. But a password management strategy that actively engages and empowers your users – and is founded on the principles of identity governance – is the way forward. With an identity-aware workforce, not only are users happier, the help desk can be more effective and IT more strategic.
See how SailPoint customers are addressing their password strategy and engaging their users by extending their identity investments with password management.