#HowTo: Solve Your Organization’s Password Woes

As organizations across all sectors face an increasing volume of cyber-attacks, CISOs must continue to perform a careful balancing act – protecting their organization’s systems while implementing security measures that don’t overly inconvenience or disrupt employees. 

Nowhere is this truer than in the realm of user authentication and password management. If authentication requirements are too simple, cyber-criminals can easily overcome them. However, too complex, and employees will simply ignore or try to bypass them. After all, it’s human nature to prioritize convenience over security.

So, how to strike the right balance? Based on years of experience in supporting CISOs, here are four simple steps that can help organizations ease their password pains. 

1) Remember that Security Friction Leads to User Frustration 

Hackers are successfully targeting organizations through digital identities, which consist of the credentials necessary to access resources in a network or online. To combat this threat, complex passwords (16+ characters, unique, including symbols and numbers, etc.) are often used to defend networks because they’re more difficult for cyber-criminals to hack. However effective, implementing complex passwords is easier said than done because they’re difficult for users to remember and store. This is compounded by the fact that employees are using an increasing number of applications and devices in their work. In fact, research from the healthcare sector shows that the annual cost savings in reducing time to log in to network resources is $92,146 per hospital per year. Given this figure, it’s no surprise that many CISOs want to implement easier access for employees. The alternative is employees who come up with workarounds to complex passwords – inadvertently increasing IT risks. 

The security implications of this practice are all too real. Password reuse was at the center of this year’s highest-profile cyber-attack, the Colonial Pipeline hack. Attackers reportedly entered the organization’s systems via an employee’s VPN account. The employee had used the same password multiple times, and thanks to an unrelated leak, their password was part of a batch for sale on the dark web.

2) Integrate Security Steps into End User Workflows with Single Sign-On 

Instead of requiring individuals to remember and manually enter complex passwords each time they log in to workstations and applications, organizations should incorporate compliance and security into their workflows with single sign-on (SSO) technology. SSO is an advanced identity management and user authentication technology that removes the need for manual password entry by enabling access to apps, systems and data using a single login. Not only does this allow organizations to implement stronger security, but it does so without sacrificing user productivity. 

3) Implement Multifactor Authentication

For situations in which maximum security is needed, SSO could/should be combined with multifactor authentication (MFA), which requires end users to verify their identity in multiple ways before they are granted access to a system. While complex password policies certainly strengthen security, they’re often not enough because they continue to be the primary means of accessing network data. Adding MFA gives organizations an extra layer of security that can be further enhanced by limiting the authentication methods allowed based on specific workflows. 

4) Make Security Invisible 

Striking the elusive balance between security and efficiency can be daunting, but together, SSO and MFA can prevent unauthorized network access while providing a seamless and compliant user experience. 

Security becomes invisible to the end user through no-click access to apps, systems and data, while convenient authentication methods like hands-free authentication and push token notification improve security without adding barriers to access. This means less frustration for end users, less time spent calling the IT desk for a password reset and less risk for CISOs. 

What’s Hot on Infosecurity Magazine?