Tag Archives: Passwords

NordVPN creates new generation password manager dubbed NordPass

NordVPN is creating a new generation password manager. NordPass will have a full range of features to ensure that passwords are as secure as possible. Its easy-to-use interface makes staying secure effortless.

“We can secure your connections with NordVPN and we can secure your files with NordLocker, but you still need a strong password for both,” explained Marty Kamden, CMO at NordVPN. “Passwords are the front line for your online account security. That’s why we’re introducing NordPass. It all started when we were looking for a safer and more productive way to deal with passwords within our company. In the end, this initiative has grown into something pretty exciting, which we decided to expand beyond the bounds of our own business.”

NordPass will remember and autosave all passwords, autofill online forms and allow the saving of private notes. Additionally, the new tool will generate strong passwords on the spot. NordPass will support major operating systems, offering browser extensions as well as native mobile and desktop apps.

ZeroEncryptionNordPass is created using the latest security practices and industry standards. It uses powerful Advanced Encryption Standard (AES-256-GCM) encryption with Argon2 for key derivation, which is virtually unbreakable. Additionally, the new tool will have a zero-knowledge encryption process to ensure ultimate security.

“Zero-knowledge encryption means you own the key to your passwords,” continued Kamden. “By the time your data reaches our servers, it’s already encrypted on your device, which means we have zero knowledge about the items saved in your vault. We couldn’t see your passwords even if we wanted to. These are only the essential features that come with the first version of NordPass. We’re very eager to expand its capabilities in the near future.”

At the moment, NordPass is going through internal stress-tests. It’s expected that the first beta version will be released this autumn.

NordVPN is a trusted online privacy and security solution used by over 12 million Internet users worldwide. It offers military-grade encryption with advanced privacy solutions and is recognised by the most influential tech sites and IT security specialists.

*For more information in NordPass access the NordVPN blog

Leave a comment

Filed under Risk Xtra

IDIS determined to focus on video cyber security at IFSEC International 2019

Network security and the threat of ‘cyber loopholes’ should be a top priority for video surveillance users, IDIS will tell visitors at IFSEC International. Launching a cyber security advisory video ahead of the show, the IDIS team at ExCeL in London from 18-20 June will also be on hand to demonstrate and explain how IDIS technology goes a step further to strengthen the resilience of traditional surveillance network processes.

IDIS will be highlighting the dangers of cyber attacks and the common vulnerabilities found in many surveillance set-ups – as well as showcasing a full range counter-measures – on Stand IF1110.

Users should plan for three specific risks, states the company: data access loopholes, data transmission weaknesses and the integrity of recorded footage.

“IDIS has consistently led the way in addressing cyber security concerns, taking a multi-pronged approach from R&D through to customer installation,” said James Min, managing director of IDIS Europe. “We’ve developed a rich, layered and comprehensive set of technologies and features to ensure maximum protection for end users.”

IDIS IFSEC Stand 2019 (1)

Visitors will see how IDIS DirectIP – the cornerstone of the IDIS Total Solution – closes-up widespread vulnerabilities and serves as a proprietary mutual authentication system for all IDIS IP products. IDIS DirectIP speeds up implementations and streamlines cyber security by eliminating the need for engineers to manage multiple IP addresses and associated passwords during implementation. It therefore mitigates human error and the common malpractice of saving passwords in vulnerable spreadsheets.

Using peer-to-peer technology, IDIS’ ‘For Every Network’ technology also lets engineers deploy and configure secure, multi-site surveillance solutions that use centralised monitoring and control without in-depth knowledge of routing or networking.

IDIS will also highlight the cyber security essentials for transmission and recording together with its own patented and proprietary technologies which prevent activities such as snooping, modification and the destruction of data.

James_Min_IDIS_Europe_MD

James Min

In addition, visitors to Stand IF1110 will learn how IDIS ensures the integrity of video recording, with its advanced ‘Chained Fingerprint’ technology authenticating footage such that it can be submitted to the police and the courts as evidence.

“Combined with these technologies, our industry-leading training programmes are helping installers and integration partners to work knowledgeably with devices and networks to ensure maximum cyber security for our end users,” concluded Min.

Leave a comment

Filed under Risk Xtra

Unwitting cyber scammers cold call industry expert at C3IA Solutions

Would-be cyber scammers made a megabyte blunder when they cold-called Matt Horan of C3IA Solutions: Horan is one of the country’s top cyber security experts. Realising the crooks were trying to take control of his computer, Horan put the call on speaker phone and asked a colleague to record it, with hilarious consequences.

After stringing out the conversation for 35 minutes – during which time he was passed to more senior ‘helpers’ as he posed as an ignorant computer user – Horan then informed the caller that he had no Internet connection.

This prompted the fraudster to use an expletive before hanging up in anger. An edited video of the call has been amusing people across social media.

Horan is keen that the video is used to help people avoid falling for cyber scams. He told Risk UK: “One of the weakest parts of any business’ cyber security is the staff. They do nothing malicious, but can easily assist fraudsters. Along with ‘phishing’ e-mails, this type of phone scam is common and can cause huge amounts of damage.”

Matt Horan, director of C3IA Solutions

Matt Horan of C3IA Solutions

Horan continued: “The caller purports to be from Microsoft or a similar outfit and informs the person who answered the call that there’s a problem with their computer. They then instruct that person to look at the computer’s ‘systems and events logs’, which is simply a log of every action taken. They tell them that this is evidence of ongoing malicious attacks. After that, they try and entice them to log into TeamViewer or something similar which means they then can gain remote access and control of the target computer.”

In addition, Horan stated: “They then have all the information on a computer or network and can infect the system, read e-mails, steal passwords or encrypt the stored data. They can basically do anything they want. Obviously, this can cause massive harm to a business and may well lead to data loss, the theft of funds and the stealing of intelligence as well as cause acute embarrassment.”

C3IA Solutions trains staff at businesses to be ‘cyber-savvy’ and always to hang up on calls like this. If staff are in doubt they should contact their IT support.

“Firms such as Microsoft don’t make calls like the one I took, but they seem authentic,” explained Horan. “Often, the scammers work in pairs so the initial caller can pass over the call to a ‘senior supervisor’, as they tried with me. This gives an added authenticity. Caution should be the watchword when taking calls like this one.”

*The video can be viewed on YouTube: https://youtu.be/ncIehp0fBT8

Based in Poole, Dorset, C3IA Solutions is one of fewer than 20 companies certified by the Government’s National Cyber Security Centre. In addition to its work with Government agencies including GCHQ, the company operates a commercial section that works with businesses, assisting them with their cyber security.

C3IA (a military term) Solutions was set up in 2006 by Horan and Keith Parsons. It has 84 personnel on contract of whom 33 are employees and 51 are associates. The business operates in the defence and security sectors serving both SMEs and multi-national firms.

C3IA is a leading provider of secure ICT, technical programme management and information security services and solutions.

The company takes its Corporate Social Responsibility seriously, supporting serving and past members of the Armed Services. Indeed, the business sponsors those engaged in personal and team development through arduous sporting and other challenges.

Leave a comment

Filed under Risk UK News, Uncategorized

Wavestore releases Version 6 of award-winning Video Management Software

Wavestore has announced the introduction of additional features and functionality in its new V6 Video Management Software (VMS) and WaveView client software.

Known for providing leading system integrity and user friendliness, many major improvements have been incorporated within Wavestore V6 with the objective of enabling end users to securely and more easily “unlock the full potential” of an integrated security system.

Widely referred to as the ‘operator’s favourite GUI’, Wavestore’s graphical display has been revised with a fresh new look featuring updated icons and graphics, making it even more intuitive to use. The addition of dockable components and ‘configurability’ of the live event stream window provides an enhanced user experience which allows individual operators to arrive at their pre-customised screen layouts each time they log in.

V6 also introduces camera short-cut keys using the keyboard number pad for added convenience and security enhancements to protect against malicious hacking attempts, including enhanced encryption and a high-security password policy.

WavestoreV6Monitor

“Many of the new or updated features in V6 have been developed as a direct result of feedback from our worldwide network of customers,” said Julian Inman, product manager at Wavestore. “For example, Wavestore’s client side de-warping feature, which supports a wide range of 360 degree cameras, now offers greater flexibility by enabling the cameras to be fitted on angled surfaces, and not just flat ceilings or walls. We’ve also added full SDK integration with ImmerVision lenses and Oncam cameras.”

V6 maintains Wavestore’s ‘any video, any format’ philosophy which sees it supporting all leading camera vendors across multiple camera technologies. These include very high megapixel, Ultra HD, 4K, HD, 360° fisheye, thermal and analogue cameras operating on H.264, MJPEG, MPEG-2, MPEG-4, MxPEG and JPEG2000 video formats.

Improved support for larger systems

As the result of an update incorporated within V6, Wavestore’s proprietary Large Allocated Storage System (LASS) now empowers the VMS to manage an industry-leading 384 Petabytes of data per server. As such,V6 claims to set a new industry benchmark for Enterprise level applications with effectively no limit to the mass of images it can manage. The calculation and system design process is also greatly simplified.

Intelligent failover is now also available at Wavestore Enterprise level to ensure minimal disruption to recording should a fault occur, and to deliver resilience and peace of mind for mission-critical applications.

“We’ve made it as flexible as possible for specifiers and systems integrators to choose the right level of software required for a each project, while our simple ‘buy once’ licence model enables additional licenses to be purchased if and when a system grows,” explained Inman.

“Wavestore can be cost-effectively deployed for small to medium-size projects with either our Base or Premium levels of software, and then upgraded when required to Enterprise level for larger or more critical applications.”

Leave a comment

Filed under Risk UK News, Uncategorized

CrowdControlHQ: “IT directors ignore social media risks at their peril”

Marc Harris (Chief Technical Officer at CrowdControlHQ) examines the issues facing IT directors from the use of social media.

Many IT directors operate their own personal Facebook and LinkedIn accounts. However, when it comes to corporate social media they pass responsibility for management of same to the Marketing Department. Are they doing so at their peril?

Let me start with the elephant in the room, namely the role of the IT director. After an extensive IT career in the media, telecommunication and technology sectors recent experience has led me to conclude that social media needs to be firmly at the top of the priority list of every IT director.

In my current role, I see at first hand the impact of reputational damage realised by both internal and external sources through the use of social media, and find it surprising how few IT directors are willing to discuss the issues or attend conferences on the subject. Perhaps they feel an unwelcome interference or ‘elbowed out’ by this new communication channel which has evolved extensively under the umbrella of marketing?

In future, the organisations succeeding in the social media space will have Marketing and IT Departments working seamlessly together to tackle the issues. The ‘DNA’ of IT makes it the most qualified department to deal with some of the risk issues that surround social media, so why isn’t it more involved?

Today, social media is being used in every aspect of business, from the Boardroom right through to the delivery of customer service. By its very nature, social media is a collective responsibility. Not surprisingly, its reliance on ‘collaboration’ has in some instances manifested itself as ‘sharing’ responsibility for posting of content… and even the sharing of passwords!

New rules now apply

I once overheard a social media officer quite gleefully boasting the fact that they had the Twitter login to hand for their company chairman. When challenged, the officer admitted that he was ‘The Chosen One’. If he was off sick that was it – no tweets or updates! Worse still, if he left the organisation he had the power to bring the place down tweet by tweet.

This is the stuff that would have kept me awake at night as an IT director, yet in a world powered by social engagement new rules seem to apply.

Marc Harris: CTO at CrowdControlHQ

Marc Harris: CTO at CrowdControlHQ

Recent research also reported that a scarily large number of employees still use the dreaded Post-It note to record their login usernames and passwords, stuck to walls, desks and even the computer screen. Apparently, we’re not coping well with the need to access everything online from social media to our weekly shop and fear our mobile devices could be pinched. We’re reverting to pen and paper, it seems.

This practice can only end in tears. There have now been too many examples of ‘rogue’ tweets, no audit trail of who posted them (or why) and organisations – who, frankly, should have known better – being left rosy cheeked, so why is this practice still so rife?

Why would an employee, with their job on the line, ‘fess up’ when they know that at least 15 other people had access to the account that day?

I also believe that few IT Departments have a handle on the number of users across their ‘official’ social media accounts, let alone a log of which password protocol they are using, how they are accessing the site or posting.

Need to look both ways

We cannot just blame the employees. Even organisations with the most robust and celebrated IT protocols let themselves down when it comes to simple issues such as data storage. I suspect very few IT directors are crystal clear about where their marketing communications teams are storing their social media campaigns, let alone harbour an understanding of the conversations from the past that they may need to reference in the future or where they keep their notes about their customers linked to these campaigns.

I would hazard a guess that many IT Departments are breaking their own compliance and governance issues when it comes to social media.

Today, there’s no need to share passwords. The social media ‘savvy’ have cottoned on to tiered password access, with both the IT and Marketing Departments having an ‘on/off’ switch to give them instant control in times of crisis. If IT is involved in the installation of a Social Media Management Solution (SMMS) they can see exactly who is plugged into the system, where accountability lies and who they need to train and develop to uphold the security protocols needed in order to keep an organisation’s reputation intact.

Within the scope of most IT budgets a SMMS will be a drop in the ocean but will address these major issues. Any smart IT director will already be looking at a SMMS if there isn’t already one in place. Such a system gives control back to the organisation. All passwords are held in one place such that accounts are not owned by individuals but by the company. The right system gives an organisation the ability to moderate content at a senior level. In turn, the risk of misuse or mistakes can be eradicated.

A SMMS also takes care of the practical management issues. I fear that some organisations are taking a step backwards in terms of their technological evolution, reverting to time-wasting, ineffective manual processing of social media (eg multiple logins to different social media platforms rather than using readily available tools for automation and effectiveness).

The message is clear. IT directors ignore social media at their peril. When it comes to corporate social engagement, it’s time for them to wake up, check and challenge.

Leave a comment

Filed under Risk UK News

Centrify survey pinpoints ID theft as key concern for digital consumers

Identity theft has ranked as the top concern among 2,000 consumers questioned about their digital lifestyles in new research commissioned by Centrify Corporation. The survey reveals that 81% of respondents stated they are concerned – or very concerned – about the prospect of having their identity stolen online.

Having credit card information stolen on the Internet is also extremely worrying for consumers, with 79% ranking it the second biggest concern above being a victim of cyber crime (73%).

Surprisingly, cyber bullying is the least concerning prospect for respondents with just 40% of consumers showing any real concern, while privacy of social networks (59%) and e-mail spam (68%) both ranked much higher.

The comprehensive survey also reveals the numbers of respondents that have a high, medium or low ‘digital footprint’ based on the amount of time they spend online in a typical week e-mailing, texting and sharing or watching digital images, songs, games, videos and apps.

62% of those very concerned about identity theft have a medium digital footprint, 46% low and 26% have a high digital footprint. Equally, only 26% of those with a high digital footprint are concerned about having credit card information stolen on an online shopping website and their e-mail accounts being spammed, showing that those who spend more time online are less concerned about their identity being stolen.

One-in-four respondents to the survey have definitely (or probably) been a victim of identity theft, 43% of victims suggesting the problem took more than one month to fix with one-in-five saying it took more than ten hours. 47% of interviewees admitted to having to spend their own money to resolve the issue, with 28% noting they’ve spent at least £60 (in turn highlighting the need for increased password security).

Identity theft remains a key concern for online shoppers in both America and the UK

Identity theft remains a key concern for online shoppers in both America and the UK

Security of personal information at risk

“With so much of our time now spent online, be it in relation to social networking, banking or shopping, the security of our personal information and, more importantly, our identities is being put at risk on a daily basis,” explained Tom Kemp (CEO at Centrify).

“According to our survey, online purchases are the top reason why users feel they became victims of identity theft, underscoring the importance of confidence in one’s own online security. Consumers have very little faith in the absolute security of their passwords. Just 15% believe those passwords are very secure, regardless of the amount and type of characters used. Being able to manage our password security is crucial.”

Other research highlights:

• The groups that are most likely to say they’ve been victims of identity theft are those that probably best understand and notice the signs of identity theft: IT workers, online shoppers, higher salary workers, the ‘tech-savvy’ and those with a high digital footprint

• Those with the least confidence that their passwords are absolutely secure include individuals that do less online shopping (12%), those aged 50-64 (11%) and those with a medium digital footprint (11%)

• A plurality of consumers are only somewhat confident that their passwords for personal accounts could not be cracked by a computer program, but few are very confident

*The Widmeyer Survey was developed to assess people’s engagement with (and perception of) passwords in order to determine their efficacy in the workplace. The survey was completed in September 2014 with more than 1,000 participants in the UK and 1,000 in North America. Results were similar across both regions

Leave a comment

Filed under Risk UK News

“Remote working places business data at risk” reveals Imation Corporation Survey

According to new research initiated by global data storage and information security company Imation Corporation, poor security and impugned responsibility are placing business data at risk for those working remotely. Staff are taking confidential information away from the office, often without the knowledge of their employer, and losing unsecured and unencrypted business data in places such as pubs, on trains and in hotels.

According to the survey of 1,000 office workers* from the UK and Germany, nearly two-in-five of respondents (or someone they know personally) have lost or had a device stolen in a public place. Three quarters of these devices – among them laptops, mobile phones and USB sticks – contained work-related data. This included confidential e-mails (37%), confidential files (34%) and customer data (21%).

Around one-in-ten interviewees had lost financial data or access details such as login and password information, potentially exposing even more confidential information to the risk of a data breach.

What makes these findings even more concerning is that a large proportion of data removed from the workplace isn’t adequately secured. As many as three quarters of respondents said they had taken digital files with them outside of work, yet many do not use standard security measures such as encryption, password protection or remote wiping to protect that data from unauthorised access.

One-in-four employees interviewed for the Imation Corporation’s survey admitted breaking security policies to work remotely while the majority were not concerned about losing confidential business data

One-in-four employees interviewed for the Imation Corporation’s survey admitted breaking security policies to work remotely while the majority were not concerned about losing confidential business data

Nearly half (44%) of respondents said that data is never encrypted when taken out of the office. Three out of every ten respondents admitted they don’t protect their data with passwords, while nearly one-in-ten workers who take digital files outside of the office do not secure them at all.

Office workers, it seems, are not losing any sleep over losing confidential business data when they take work home, with only one-in-16 worrying about this massively important issue.

Lack of understanding around corporate data security

“Companies may not be aware of the amount of data that’s leaving offices unsecured,” said Nick Banks, vice-president (EMEA and APAC) for Imation Corporation’s IronKey solutions. “In addition, half of respondents said that, at least some of the time, nobody would notice if they were to take data away from the office and lose it. It’s obvious that poor security and lack of understanding of what happens to corporate data are placing organisations at risk of a data breach.”

Even though eight-in-ten of the employees interviewed read or write work e-mails on the move, and around seven-in-ten work on electronic documents away from the office, businesses are failing to provide their employees with secure tools for remote working and not putting the right security policies in place.

Fewer than six out of every ten respondents said their organisation had a remote working policy in place. Of those employees working for companies that do have a policy, more than a quarter of interviewees admitted they’d broken that policy in order to work remotely. Of those staff questioned, 8% had knowingly broken the policy and a further 18% say they’d unknowingly broken it.

Equally, of those individuals who do secure data that they take outside of the office, just over half said that their employer or a third party supplier provides the remote working security measures. One-in-five respondents reported that just they themselves provide the security measures.

“These figures emphasise the urgent need for businesses to ensure that their employees have the necessary systems in place to work flexibly and securely without further hindering productivity,” asserted Banks. “The reality is that people are working in cafes, on aeroplanes, in their GP’s waiting room and even while they take their children to the park. Organisations are tasked with a monumental challenge of providing secure access to corporate networks and data. Data protection is now a huge concern for employers who are battling to manage security and privacy for employees on the move.”

Nearly half (44%) of survey respondents said that data is never encrypted when taken out of the office

Nearly half (44%) of survey respondents said that data is never encrypted when taken out of the office

Key highlights of the research

Other research highlights are as follows:
• As many as 41% of interviewees suggested that they either do not have the right tools available to work remotely or that their solutions for doing so could be improved
• Three-in-five respondents would tell their boss if they lost a storage device with company data on it. However, nearly one-in-ten would do nothing. Less than one third of survey respondents said they have policies that dictate who should be notified depending upon the type and sensitivity of the data lost
• Almost a quarter of respondents have looked over the shoulder of someone working on a laptop/tablet in a public place or noticed someone looking over their shoulder while 6% would let someone else use their work laptop, tablet or smart phone outside of the office
• Around half (48%) of respondents that take digital files with them outside of the office do not fully separate their work and personal data, in turn placing their personal data at risk of being wiped when business data is compromised
• Only 70% of respondents report that they protect their data with passwords and only 36% encrypt their data. A small proportion of respondents are using biometric technology (14%) or remote wiping (7%) to secure their data
• Public areas such as pubs, cafes and restaurants (22%) and public transport (29%) are some of the most common locations for respondents to read or write work e-mails when outside of their home

Nick Banks: vice-president (EMEA and APAC) for Imation Corporation’s IronKey solutions

Nick Banks: vice-president (EMEA and APAC) for Imation Corporation’s IronKey solutions

*The research consisted of 1,000 online interviews carried out this summer and involving office workers in businesses of at least 250 employees and covering a range of industry sectors. 500 respondents emanate from the UK and 500 respondents work in Germany. 80% of respondents were required to work remotely for at least part of their working week. Interviews were conducted online using a rigorous multi-level screening process to ensure that only suitable candidates were given the opportunity to participate

Leave a comment

Filed under Risk UK News

Cyber Streetwise survey reveals 75% of Britons place online safety at risk

A new survey conducted by Cyber Streetwise has revealed that most people are not taking the necessary steps to protect their identity online, with 75% of those who took part in the study admitting they don’t follow Best Practice to create complex passwords.

The figures have been released during Cyber Security Awareness Month to mark the launch of the latest phase of the UK Government’s Cyber Streetwise campaign. In partnership with the police service and industry experts, Cyber Streetwise aims to raise awareness of wise and unwise behaviour in the online space.

Despite 95% of Britons saying it’s their own responsibility to protect themselves online, two thirds are risking their safety by not using symbols in passwords. Nearly half (47%) exhibit other unsafe password habits such as using pet names or significant dates as their password.

Modern Slavery and Organised Crime Minister Karen Bradley MP explained: “When passwords are compromised, financial and banking details can be stolen and cause problems for the person affected, for businesses and for the economy. There’s an emotional impact caused by the loss of irreplaceable photos, videos and personal e-mails, but even worse these can be seized to extort money.”

Bradley added: “We can and must play a role in reducing our risk of falling victim to cyber crime. Most attacks can be prevented by taking some basic security steps, and I encourage everyone to do so.”

Vulnerability to ID theft, fraud and extortion

This latest research shows that 82% of people manage more online accounts that require a password than they did last year, with the average Briton dealing with 19. Over a third (35%) of those questioned admit that they do not create strong passwords because they struggle to recall them. However, poor passwords leave people vulnerable to identity theft, fraud and extortion.

Cyber crime presents a serious threat to the UK and the Government is taking action to increase public awareness of the risk, dedicating £860 million to this issue over the next five years through the National Cyber Security Programme. In essence, the Government is working hard to transform the UK’s response to cyber security.

The latest survey conducted by Cyber Streetwise has revealed that the majority of people are not taking necessary steps to protect their identity online

The latest survey conducted by Cyber Streetwise has revealed that the majority of people are not taking necessary steps to protect their identity online

Jamie Saunders – director of the National Crime Agency’s (NCA) National Cyber Crime Unit – commented: “The NCA is working closely with law enforcement colleagues all over the world to target and disrupt cyber criminals. We should be clear that the criminals will target weaknesses. On that basis, having weak passwords will leave people vulnerable.”

Saunders continued: “Nobody wants their personal financial details, business information or photographs to be stolen or held to ransom, so simple things like using three or more words, a mixture of numbers, letters and symbols and upper and lower case letters will make it much more difficult for hackers to access personal information.”

Creating strong and memorable passwords

Advice on creating strong and memorable passwords can be found at http://www.cyberstreetwise.com along with other easy tips for staying safe online. Tips for creating and remembering passwords include the following:

Loci method
Imagine a familiar scene and place each item that needs to be remembered in a particular location (ie a red rose on the table, a book on the chair, a poster on the wall). Imagine yourself looking around the room in a specific sequence. Re-imagine the scene and the location of each item when you need to remember

Acronyms
Use a phrase or a sentence and take the first letter from that sentence

Narrative methods
Remember a sequence of key words by creating a story and littering it with memorable details (for example, ‘The little girl wore a bright yellow hat as she walked down the narrow street…’)

Further information on Cyber Security Awareness Month is available at: http://www.staysafeonline.org/ncsam/

Leave a comment

Filed under Risk UK News

Employees cost UK businesses £130,000 per annum in lost productivity managing passwords

According to new research conducted by Centrify Corporation (a leader in unified identity management across data centre, cloud and mobile platforms), poor password habits are not only placing employers at risk but also losing them hundreds of thousands of pounds in lost productivity every year.

The survey of 1,000 UK workers highlights that the average employee wastes £2611 each year in company time on trying to manage multiple passwords. For an organisation with 500 staff on the payroll, that equates to a loss of more than £130,000 every 12 months.

“In our new digital lifestyles, which see a blurring of the lines between our personal and professional lives, we’re constantly having to juggle multiple passwords for everything from e-mail and mobile apps through to online shopping and social media,” explained Barry Scott, CTO (EMEA) for Centrify.

“According to the results of our extensive survey, over a quarter of us now enter a password online more than ten times each day, which could equate to 3,500 to 4,000 times every year. This is becoming a real challenge for employers who need to manage security and privacy concerns, and also for employees who are costing their companies both time and money.”

While around half (47%) of those employees questioned use their personal mobile devices for business purposes, one-in-three (34%) admit they don’t actually use passwords on these devices even though they keep office e-mail, confidential documents, customer contact information and budget details on them.

Centrify's Infographic on Passwords

Centrify’s Infographic on Passwords

High on many people’s list of ‘most annoying things’, it seems that passwords are becoming the cause of major headaches. Centrify’s study reveals that forgetting a password for an online account is more annoying for individuals than misplacing their keys (39% of respondents), a mobile phone battery ceasing to work (37%) or receiving spam e-mail (31%).

One-in-six (16%) of respondents would rather sit next to someone talking loudly on their mobile phone, 13% would rather spend an hour on a customer service line and 12% would prefer to sit next to a crying baby on a flight than have to manage all of their passwords.

Multiple incorrect password entries

The Centrify research also shows:
• More than one-in-three (38%) employees have accounts they cannot access any more because they cannot remember the passwords
• 28% are locked out at least once a month due to multiple incorrect password entries
• One-in-five employees change their passwords at least once a month while 8% change them every week
• Most have little faith in password security – just 15% believe their passwords are ‘very secure’

With nearly half (42%) of respondents creating at least one new account profile every week – more than 50 per annum, in fact – the problems around password management will only worsen. In fact, 14% of employees quizzed believe they will have 100-plus passwords to deal with in the next five years.

Despite this, it’s believed that many employees already seriously underestimate the number of account profiles they have online, with nearly half (47%) believing they have just five profiles – although a quarter admit they harbour 21 or more.

Andy Kellett at analyst OVUM added: “When it comes to providing safe access to what should be highly secure business systems, the password model is no longer fit for purpose. It remains the primary security tool for businesses in environments where other authentication options should be considered. We used to go to work and stay in one place. Now we are just as likely to be working from a remote office, on the train or at home and simple passwords are neither robust nor secure enough to support secure remote access.”

Kellett added: “With today’s workforce also using social media and flexible remote tools and applications, we need to empower them to do this by allowing them to have more ownership of their identities and incorporate better, more balanced security measures that also improve productivity.”

Top 5 bad password practices

When asked what they do in order to remember their passwords, survey respondents stated that they:
(1) Always use the same password whenever possible
(2) Rotate through a variety of similar passwords
(3) Keep a written password in a master book of passwords
(4) Use personal information in a password
(5) Avoid using complicated symbols or combining upper and lower case

Barry Scott: Chief Technology Officer (EMEA) at Centrify

Barry Scott: Chief Technology Officer (EMEA) at Centrify

Top 5 password tips

To help employers, Centrify has complied a list of top tips on effective password management:

• Educate staff about using passwords – make it a key part of your corporate security policy
• Make it easier for employees to work anywhere, any time by using technology that offers single sign-on capabilities (ie one click to access all of their work accounts and applications)
• With some mobile phones now providing both identity and access management capabilities, incorporate them as part of your BYOD (Bring Your Own Device) policy
• Create one profile for any corporate log-ins and then have privileges for individual employees within the one profile. Anyone who leaves the company can be removed automatically
• Think about replacing passwords with something much more intuitive like pass phrases.

The Widmeyer survey was developed to assess people’s engagement with – and their perception of – passswords in order to determine their efficacy in the workplace. The survey was completed in September 2014 with more than 1,000 participants in the UK and 1,000 in North America. Results were similar across both regions. The final results can be found at: http://www.centrify.com/Password-Survey

Reference

1Figure calculated by taking an average of the hourly rate of personal income from one’s job multiplied by the amount of time spent dealing with password management

Leave a comment

Filed under Risk UK News

Tesco.com data breach – comment from Kaspersky Lab and SafeNet

In response to this morning’s news that Tesco.com has experienced a significant data breach, David Emm (senior security researcher at Kaspersky Lab) and Jason Hart (vice-president of cloud solutions at SafeNet) offer advice on how consumers can make sure their data isn’t compromised in this type of attack.

“This latest data breach experienced by Tesco.com serves to prove the dangers of using one password across the board,” asserted David Emm (senior security researcher at Kaspersky Lab), “as this simply means that cybercriminals can gain access to all your online assets in one fell swoop.”

Emm continued: “It’s possible to create strong, memorable passwords which don’t use personal data. We’ve all heard the advice from security professionals:

1. Make every password at least eight characters long… and 15 plus is better
2. Don’t make passwords easily guessable. There’s a good chance that personal details such as your Date of Birth, place of birth and partner’s name, etc can be found online (maybe even on your Facebook wall)
3. Don’t use real words as they’re open to ‘dictionary attacks’ (whereby someone uses a program to quickly try a huge list of possible words until they find one that matches your password)
4. Combine letters (including uppercase letters), numbers and symbols
5. Don’t ‘recycle’ passwords (eg ‘david1’, ‘david2’, ‘david3’, etc)

Tesco has suspended thousands of online accounts after cybercriminals targeted log-in credentials and Clubcard points

Tesco has suspended thousands of online accounts after cybercriminals targeted log-in credentials and Clubcard points

“We are all aware that, if we follow this advice, there are too many, and they’re too complicated to remember – especially in the case of an account we don’t use very often.

“Instead of trying to remember individual passwords, start with a fixed component and then apply a simple scrambling formula. Here’s an example… Begin with the name of the online resource. Let’s say ‘mybank’. Then apply your formula. For example…

1. Capitalise the fourth character
2. Move the second last character to the front
3. Add a chosen number after the second character
4. Add a chosen non-alphanumeric character to the end

“This would give you a password of ‘n1mybAk;’.”

There is an alternative method, too. “Instead of using the name of the online resource as the fixed component,” stated Emm, “create your own passphrase and use the first letter of each word. So, if your passphrase is ‘the quick brown fox jumps over the lazy dog’, the fixed component of each password starts out as ‘tqbfjotld’. Then apply your four-step rule.”

Emm also commented: “By using either of these methods, consumers can ensure they have a unique password for each online account and therefore secure themselves against these types of breaches that make use of previously gained information.

“If you find even this too complicated, consider using a password manager – software that automatically creates complex passwords for you, keeps them secure and auto-enters them when you need to log in.”

Companies must focus on what matters most – the data

A former ethical hacker for more than 15 years, Jason Hart (vice-president, cloud solutions at SafeNet) explained: “In 2013, there were over 595 million data records lost or stolen, demonstrating that conventional breach prevention and perimeter-based security are not sufficient for protecting modern data. It’s clear that it’s not a matter of ‘If’ a data breach will occur, but ‘When’.

“On that basis, it’s vital that organisations are taking the correct precautions to ensure their most sensitive data remains protected.

“While the latest Tesco data breach was not a result of a direct attack on the Tesco.com website, it does highlight the wider implications of data breaches. Many people often use the same password across multiple sites, so the true impact of the any data breach is always likely to be bigger than first anticipated.”

Hart went on to state: “This is not the first time that supermarkets have fallen foul to a cyber attack and should serve as a reminder to all retailers of the threat posed by data breaches. Too many Security Departments hold on to the past when it comes to their security strategies, focusing on breach prevention rather than securing the data that they’re trying so hard to protect.

“Methods used by cybercriminals are becoming increasingly sophisticated and, if they want to hack the system or steal data, they will find one way or another to do so.

In conclusion, Hart stressed: “Companies need to focus on what matters most – the data. By using technologies such as encryption that render any data useless to an unauthorised party, as well as tamper-proof and robust key management controls, companies can be safe in the knowledge that their data is protected whether or not a security breach occurs.”

Leave a comment

Filed under IFSECGlobal.com News