Most organizationsófrom multinational corporates to small businessesóstill exclusively rely on the user name and password as a mechanism to control the way employees, contractors, partners and customers gain access to corporate information assets. The result being that these organisations are exposing themselves to cyber terrorism, which includes everyone from the most malevolent terrorist to the basement hacker. Their aim: to sit on your doorstep and undermine and destroy the fabric of your organisation.
Threats against passwords are increasing as they are perceived as the more vulnerable security aspect of IT infrastructures and are therefore inadequate in securing an IT system.
So why isnít more being done to overcome the cyber terrorism threat? After all, following the terrorist attacks in New York and London, Governments are being especially diligent in its duties to combat everyday terrorist threatsóso why isnít business doing more?
One of the main reasons we are in this maelstrom is thatóuntil nowótechnology has been a barrier to cost-effective and practical user authentication. Solutions in the market today are both prohibitively expensive and take too long to deploy and manage. The second reason is complacency. Many organisations do not perceive there to be a real threat. Corporate governance regulations, such as Sarbanes-Oxley, are starting to have an impact, but there remains a lack of urgency.
Some organizations have taken the matter into their own hands and simply made passwords longer, or require employees to change them more frequently. This is not a good idea as the employee will just forget the password or write the password down, therefore compromising security in a different way,
Almost 90 percent of organizations today still rely on user name and password for user authentication. The result is that they have very little control over who has access to their systems, the degree of access people have, and who gives the approval for that access. A few organisations have reached the second phase of user authentication: they know whoís coming in and what they are accessing, because the organisation has controls over authentication. But, itís a reactive policy. They can only report on what the intruder or innocent user has seen. Nothing more, nothing less.
Centralised, Best Practice Identity Management
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.