Government workers admit to sharing passwords on social media – and security professionals lose their minds.
Security best practice has been put in the spotlight this week, with an investigation into government MPs showing that not even the UK’s government officials follow Westminster’s IT security policy that “passwords must be considered as confidential and must only be used by the originator (and not shared with other users)”. The admissions came to the fore following reports that the de facto Prime Minister, Damian Green’s computer was found to have pornography downloaded on it. Many of his colleagues jumped to his defense, tweeting that they were not the only ones who have access to their computers and often share passwords.
As a result, MPs have been sent further reminders about security policies that they should be following. In addition, the ICO confirmed this week that it was making inquiries into the data security practices at Westminster. Security professionals all over the world also took to social media to share their unease with the offending MPs’ poor password practices.
The case does make you wonder if the UK’s own government – even when it puts national security at risk - isn’t practicing what it preaches, what hope is there for ordinary businesses? It just goes to show that human behavior is one of the biggest challenges organizations face when developing security policies. As the old saying goes: “you can’t fix stupid”.
Indeed, establishing these best practice procedures is of vital importance, as is maintaining and enforcing them and the value in this should never be underestimated. If you think your organization is lacking in following advice given about sharing passwords, perhaps it’s time for a New Year’s resolution or two. In fact, the National Cyber Security Centre (NCSC) offers some good advice on simplifying users’ approaches to passwords.
Particularly with GDPR on the horizon, if organizations are caught not taking reasonable action to secure EU citizen’s personal data, the repercussions could be immense. And while sharing passwords isn’t a statable offense, we expect the murky waters will become pretty clear in the months following enforcement of the regulation. Those companies that start implementing and maintaining security best practice procedures now will stand the best chance at saving themselves a world of trouble once GDPR is enforceable.