In business, insider threat has always existed, but it is often overlooked amid fears of viruses and lost hardware. Recent revelations that Edward Snowden convinced his colleagues to share passwords with him to gain access to classified files has once again put the insider threat back onto the business agenda. And rightly so, in my opinion.
Former NSA contractor, Edward Snowden, who disclosed 200,000 classified documents to the press on the US mass surveillance programme and from the Government Communications headquarters in the UK, may have found it easy to infiltrate classified material by fooling staff that he needed their user names and passwords to carry out his work.
Using what is known as social engineering to gain access to other users’ accounts is a basic hacker trick, and not one employees at the NSA should have fallen for. But the practice is far from uncommon, many companies share details regularly without realising the risks it poses.
It is often the most senior employees with privileged network rights and access who are most likely to expose corporate data by passing passwords around. In order to delegate work, or to share with another senior employee, they might assume that the rules do not apply to them.
Sharing details when employees are off sick or on holiday and other members need access is another common occurrence, as is giving new employees passwords before they have their own network access.
While sharing passwords and logins for these reasons might seem like necessity to the user at the time, or the easiest solution in the given situation, it is important to understand the risks posed to a business. No doubt Snowden gave equally compelling reasons for requiring passwords to his colleagues, and whilst most businesses don’t have information as sensitive as the NSA’s on their networks, most would still not consider the risks posed to be worth taking versus the cost of implementing a solution.
Most organisations deal with the password issue by telling users not to share their password. This generally happens on the first day they join the company. But if there is a culture of sharing passwords or a tricky situation that could be resolved by accessing a colleague’s PC, the details are usually shared without a second thought.
But a company policy that relies on users doing or not doing something is flawed from the beginning and that is due to us humans being involved. We make mistakes, we forgot and of course we are not all upstanding, law abiding citizens.
Today’s mobile workforce, often using their own devices to access the corporate network from any location, only exacerbates this situation. According to the International Data Corp the mobile workforce will surpass 1.3 billion people by 2015 representing 37.2% of the world’s overall work force, as more of us make the move from office building to working from home.
For this reason, companies need to have a technology solution that stops users from sharing their passwords. By deploying a solution that actively manages concurrent users, organisations can control all user access, permitting or denying logins at a certain time, location or device.
Preventing concurrent logins means a user can only be logged on once from any given device. Users now think twice about sharing details, as they won’t be able to get on the system if someone else is logged in too. Controlling concurrent logins with where, when and how long users access the system also makes it impossible for any rogue user to use valid credentials at the same time as their legitimate owner.
To the user, password sharing might seem like an insignificant risk when they have a job to do, and this is not something that can be addressed with technology alone. Users must know the reasons why it is such a risk and the potential consequences, and it is part of the IT department’s role to educate them in that.
As a naturally security hyper-sensitive organisation, the NSA reportedly took 25 employees off the job for breaking security rules in the Snowden case. Insider threat is a very real concern and password sharing a very real cause, but the right technology and the right education can help ensure a secure environment that can keep confidential data safe.