Security investment isn’t keeping up with threats. Slowly but surely, security providers are coming to terms with the inevitable. No system can ever be truly secure, and the most effective strategy is to focus not just on keeping attackers out of a network, but to limit the damage they can do when they get in.
Our new mantras are “encryption everywhere” and “layered defences” that can catch known malware and detect new types of attacks early. We understand the value of regular testing, and making sure that new features in a system haven’t compromised the security of old ones.
For many businesses, however, the sad truth is that changing strategy to deal with emerging cyberthreats is deemed either too costly or too complex. Investment in security by the business world, is simply not keeping pace with the rise in cyberattacks.
Take passwords, for example. Strong user authentication has to be at the core of any modern security policy. It’s vital to know who is on your network in order to set up access restrictions and silo sensitive data, to protect it from attack, and to perform forensics in the event of a security breach.
All too often, however, we find that many small to medium size firms aren’t developing policies that encourage strong password use among employees. And where they are, they aren’t being made fit for purpose. It’s not enough to insist on strong passwords for corporate networks if no attempt is made to explain why: if an employee continues to use unsafe passwords in their everyday lives, the chances are that at some stage, they’ll be a weak point in your defences.
The challenge is literally insurmountable: end users will value the convenience of an easy-to-remember password over one that is hard to crack. For the majority of people, that behaviour is unlikely to change. That’s why, year after year, in every report on password-use gleaned the most popular passwords remain trivial to crack combinations, such as “password”, “1234567” or “qwerty”.
That’s why the big tech firms, such as Google, Apple, Facebook or Dropbox, have begun to encourage end users to turn on more effective measures to augment basic password protection. Two factor authentication (2FA), in the form of one time passwords via SMS or an app, is becoming common. Banks generally insist on it.
So why aren’t more businesses doing the same thing? Unless they can encourage their own employees to adopt better password discipline and 2FA, other investments in security are likely to be compromised via techniques such as spear phishing or social engineering attacks.
If we can’t teach employees better password habits, the solution is to provide assistance that takes the burden of security away from them. Employers have a golden opportunity, for example, to mandate the use of password vaults, that can generate and store long, uncrackable passwords, for company credentials and encourage their use for personal accounts too.
Two factor authentication isn’t as difficult to implement as you might think, either. At Ansys, for example, we’ve developed Solid webKey, a cost-effective USB device which combines both an encrypted password manager and a 2FA hardware token, which can be easily integrated into existing systems.
Businesses are digitising fast, and security spending and employee technical knowledge is not keeping up – and that’s even more pronounced in South Africa than elsewhere in the world. Solutions such as Solid webKey won’t solve all the challenges of cybersecurity that businesses face, but they will help to address the basics and make sure that other investments are worthwhile.
• Teddy Daka is chief executive of Ansys Limited