For Small Organisations and individual users it is often difficult to know what they should be doing, and when they find out and start doing it, they may then find that it is not what they should be doing. We explore some of the reasons behind this, as well as our own frustrations with what happens in practice.
This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Director of Boolean Logic.
In this episode, we're looking at why cyber security doesn't appear to be an exact science for many non-cyber security professionals and why it sometimes seems very contradictory depending on where a user searches for the information.
"When the guidance for so long is one thing [...employees] find the changes disruptive to their behaviours."
Password guidance inconsistencies
One of the biggest areas where the issue of inconsistency is most apparent, is with passwords.
For years, the guidance was "you must change your password every 30 days, 60 days, or 90 days", depending on the password policy. Users often responded to this guidance by simply adding a "1" at the end of the password, then they would add a "2" then a "3" and so on at the end of each period.
When professionals realised that the easy password was effectively the same each time apart from the last digit, the guidance changed to stop this. There was also a recognition that changing passwords every 60 days actually reduced security, as it encouraged users to create insecure passwords where only the last digit changing from one period to the next.
This means that the basis of both sets of guidance was good, but in the first one, professionals under-estimated the inventiveness of users to find an easier method of remembering their many passwords.
However, when the guidance for so long is one thing and then changes to another, not only does it take time for users to get used to it, but they also find the changes disruptive to their behaviours to comply with policies, and not necessarily good practice.
This is further complicated where Organisations adopt the correct guidance, but the system they're using doesn't let them implement it. For example, for a considerable time, Microsoft users couldn't use a password for an Office365 administrator account that was longer than 16 characters. This was while the advice was “to use long, complicated passwords or passphrases.”
This is similar for people who try to add non-alpha numeric characters, and the system tells the user that they can't. Or the password is too long and/or has nonstandard characters. "But it's only 12 characters long. What do you mean it's too long?!"
Password issues extend beyond just basic logging on
Related to general password issues are those related to Wi-Fi standards used to protect passwords and logins for network devices. We were once told that a certain password encryption standard was secure, then when everyone had adopted it, the guidance changes to "it's not secure anymore it can easily be broken into, - we need to use this new more secure one now". Then once everyone had got used to the new one, it changed again: "that's not secure anymore". Users start asking "Well, what do we do? That old password standard is the only one on our equipment, we can’t use functionality on our systems that doesn’t exist – so now we are non-compliant with the guidance.”
"Guidance doesn't always trickle down to all ... the people responsible."
In some cases, the guidance on Wi-Fi changed due to technology changes in faster speeds, but users hardly ever know why guidance is changed.
As an Organisation, the guidance is to be followed until it changes again or is superseded. But often what happens is, that the information doesn't trickle down to everyone.
I know of incidents of disagreements with cyber insurance firms because the guidance doesn't always trickle down to all Small Organisations and the people responsible in them. In one particular case, it was the other way around, with the cyber insurance firm using outdated guidance. So, Small Organisations very rightly get confused and may either do the wrong thing or even worse, something that reduces security for their Organisation.
Vendors not following the same best practice
We’ve already mentioned vendors and technology providers, and even today the latest guidance on passwords hasn't reached Organisations and individuals - whether it's Microsoft (as in the previous example) a new service, or one that's been around for a long time. Each service provider may be working on a completely different set of authentication rules because there is so much guidance around, it just depends on which one they find and is easy to implement. So, they're either working on older guidance or they don't know which one or whose guidance to follow. This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.