You know society has reached a tipping point when a late-night comedic talk show host makes cybersecurity the focus of one of his bits.
That’s what happened when Jimmy Kimmel Live aired a cybersecurity segment that involved approaching random pedestrians on the Hollywood Walk of Fame and asking them for their Internet passwords. If you think that most of the people interviewed refused to tell, you’d be wrong. One after another, an alarming number of interviewees revealed their passwords. The first confessed that her password was a combination of her dog’s name and her high school graduation year—then went on to give away the name of the dog and what year she graduated. The next admitted her password was her cat’s name and a “random” number, then told the interviewer the name of her cat and what numbers she usually used: birthdays and the like. And it just kept going.
This is a CIO’s worst nightmare, as the Wall Street Journal pointed out, and it illustrates a problem that’s all too prevalent in the enterprise: poor password policies and awareness. If people are so willing to give away their passwords to get on TV—and willing to give away their passwords on national TV—how many more do you think see nothing dangerous about writing down their passwords, leaving them out in the open (on a sticky note on their office computer monitor, for example), or using the same password for different applications? And how many do you think could be duped into telling a scammer enough information to guess their passwords? Too many, that’s for sure.
Poor password management on the individual level is a serious problem that must be addressed. From the CIO and CISO standpoint, addressing this problem will require two main components: education and policy.
Employees must first of all be educated in the importance of strong passwords and the dangers of using easily guessable or easily accessible passwords. Here, a memo to be signed upon employee onboarding isn’t enough. Cybersecurity training meetings may be useful, and periodic reminders can also be helpful. Among the points to convey are the following:
- Passwords should not contain easily guessed words such as names, places, and numbers of personal significance. No birthdays, anniversaries, or phone or address numbers.
- Passwords should not be written down.
- Passwords must not be given out to anyone except a verified IT support staff member, communicating with the employee over an official channel of communication.
When it comes to policy, meanwhile, CIOs and CISOs should work to ensure that employees are not using the same passwords that they use for personal accounts or services, and should work to ensure that passwords are strong and periodically changed. Some points to consider for a strong password policy include:
- Passwords that include numbers, letters, and special characters
- Passwords that do not include employee names
- Passwords that are changed periodically, perhaps on a quarterly basis
- Passwords that cannot be reused
- Policies on where and how passwords should be maintained
Setting strict password policies and educating employees on the importance of good passwords will go a long way toward solving one of the key security issues of the day: the ease with which scammers can obtain or guess passwords and use them to infiltrate corporate systems. This is especially critical when it comes to cloud security, where an employee’s login credentials can grant an attacker access to a wealth of sensitive corporate data.
Even late-night comedians are aware of the cybersecurity dangers created by well-meaning, ordinary people. It’s past time to patch up this glaring hole in many an organization’s security.