Daniel awoke with a start to the harsh tones of his morning alarm. He mashed the snooze button on his phone that he kept next to him on his bedside table. Rubbing the sleep from his bleary eyes, he opened his email to get a jump on his day. While lying there, with his bed still beckoning him back to sleep, he considered how little sleep he was running on. There had been a lot of changes at work lately, and as the Director of IT he had been overseeing and controlling the chaos as best he knew how. “Junk, delete. Junk, delete,” he whispered to himself as he virtually crumpled and tossed emails into his digital trash bin. But this next email, it wasn’t junk.
Daniel tapped the email to open up his daily news alert. Scanning the headlines, a competitor’s name popped out. They had suffered a massive security breach, which would likely earn them HIPAA violations and the resulting fines and settlements. Daniel pondered the damage to their brand and reputation and couldn’t help but wonder what would happen should he find himself and his organization in a similar situation. Before he had much time to think about it, his cell phone alarm blasted him out of his fog and urged him up out of bed.
While driving to work, Daniel revisited his early morning concerns and wondered what sort of security weaknesses his own organization could be having. With the swath of new employees that had just begun working, the possibility of password sharing was strong, with new employees perhaps not yet having access to the things they need to do their jobs correctly. The complex password standards could potentially be ignored by more seasoned employees that were becoming complacent in their positions and that was just in the hospital. What about the private practices that were connected to the healthcare organization? Daniel didn’t have many eyes and ears in those offices and he fretted about the ramifications of poor execution of his carefully selected safeguards of the protected health information entrusted to them to keep private and confidential.
At work, it was clear the leadership was having similar worries. Emails were coming in all morning from the CEO, members of the board, and even the Chief Medical Officer shot one over. Daniel was hopeful that the budget funds he had invested in IT infrastructure and security were well spent and that the organization’s policies and procedures had enough precautions built in to protect the data they had been entrusted with, which was so desirable to hackers and those with duplicitous intent. Even though it seemed like all his bases had been covered, he felt a crack in the foundation of his certainty. As Daniel walked around the office, he noticed a few passwords written on sticky notes clinging to user monitors and started to wonder if they were really secure.
Doubt blew bitterly around him, eroding the confidence he once felt. But even with this realization, he had to accept that he didn’t know where to turn.
Daniel’s situation is not unique. You might even be Daniel. As a consultant with ROVE, specializing in modern security and digital transformation, I’ve had my fair share of clients who are looking for products and solutions that can give them peace of mind and confidence about the strength of their infrastructure and data protection. I’ve counseled and created solutions for people in Daniel’s position for many years. If you haven’t taken inventory of the security policies at your organization lately, you may very well be behind the times and leaving your precious data open for damage and destruction.
Modern application architectures and hybrid IT are pushing security boundaries off the premise and into the cloud, far and beyond the traditional workplace. As a result, defining and enforcing security policies is both more complex and more necessary than ever. In the wake of several high-profile security breaches, more and more organizations are realizing they cannot trust the security of their sensitive data to just a person’s username and password. The average HIPAA violation fine due to password theft or security protocols resulting from insufficient authentication of a user’s identity can be a budget buster. But even outside the medical industry, loss of protected client data is a huge blow to the trust an organization has built.
Trust is earned, and trust is everything. A breach of trust can take years and countless dollars of investment to begin to rebuild.
There are many problems with attempting to protect your valuable data using only passwords. First of all, it puts the security burden on your users. In the healthcare industry, your users have lives to save and password creation isn’t even close to their highest priority. Further, it expects them to not only create unique passwords using the most current best practices, but it expects them to remember them, as well. Since most computer-operating humans have several of these types of passwords to remember, this leads to the next security problem. All these lengthy, complex passwords are hard for users to keep up with. This issue usually results in two major problems: account lockouts and password re-use. Account lockouts create downtime, and thanks to Murphy’s Law, usually at the worst possible times. Account lockouts cause loss of productivity, loss of revenue, loss of trust, and potentially, in the healthcare industry, catastrophic medical outcomes. Alternatively, some users may attempt to avoid lockouts by reusing passwords, which brings its own issues. A sobering report from Verizon showed the nature of relying on highly-exploitable passwords, with a stunning 81% of hacking incidents resulting from exploiting stolen or weak passwords.
Yet another potential risky outcome of your current security protocols is account sharing. Users may find the complex, multi-step password setup you currently have as laborious and instead may opt to share accounts. While this might seem like a harmless shortcut to them, it erases any accountability or ability to identify who made changes. Additionally, this practice eliminates any security through the process of authorization. This process ensures whether an individual should have access to certain programs and data, which is subverted through the practice of password or account sharing.
Clearly, in today’s environment, passwords alone are no longer an effective way of protecting your critical apps and data. With a growing mobile workforce, applications in multiple clouds, and tons of devices outside of IT control, many organizations are investing instead in multi-factor authentication. This advanced method of authentication requires information from at least two independent categories working together to allow access to protected data. Multi-factor authentication is the gold standard, commonly used in financial and law enforcement environments. The future may even be password free.
The future may even be password free.
It’s possible to have data protection that goes beyond passwords by combining something your end users know, their password, with something they have, like their mobile device, to provide secure access to all your apps and data. Any comprehensive security strategy should reduce the risk of security and data breaches. Your strategy should reduce compliance risk, simplify security operations, and be up to the challenge of protecting apps and data outside the network perimeter. Is your security strategy strong enough to deliver? If you find yourself in Daniel’s position, with doubt corroding your confidence and competence, it’s time to seek help to restore a level of measured assurance.
Pat Bodin, Chief Technical Officer, ROVE
Reece Johnson, Senior Technical Architect, ROVE