Security / Tech

Password hygiene: A case study in security and privacy

security privacy risks

Many organizations focus on privacy and security from a social engineering standpoint, considering ways that external malicious actors exfiltrate information.

Most organizations focus on issues such as external vulnerabilities that lead to data breaches. Data privacy, on the other hand, goes beyond traditional cybersecurity issues despite the two often co-existing.

Privacy includes issues like excessive access, snooping, and sharing an internal link to someone else within an organization. As regulatory requirements and interconnected IT ecosystems increasingly blur the lines between privacy and security, understanding an example of where the two overlap offers greater insight into why organizations need to focus on both simultaneously rather than considering them as siloed issues.

The Nuance Between Privacy and Cybersecurity: People

Many organizations focus on privacy and security from a social engineering standpoint, considering ways that external malicious actors exfiltrate information. While this approach links the two, it only minimizes half of the privacy risk.

Organizations adopt automation to reduce the operational costs from monitoring these threats and risks. While automation can ease human error risks that decrease privacy protection by helping enforce the principle of least privilege, password hygiene cannot always be governed by machines, ultimately bringing privacy back to the “human factor” that the organization adopted technology to reduce.

The Dangers of Password Sharing

As organizations adopt digital transformation strategies, they add more applications to streamline business operations. As part of the controls, each new application requires password access. In some cases, organizations require people to remember the passwords individually, in other cases they attempt to reduce password fatigue with single sign-on (SSO) tools. However, even those tools fail to mitigate password hygiene risks for a variety of reasons.

First, people hate cumbersome and time-consuming “reset my password” processes, which impact the passwords they use.  An October 2019 study of Americans’ password use conducted by Harris Poll in conjunction with Google found:

  • 66% of respondents use the same password for more than one online account
  • 24% of respondents use common variations of common passwords
  • 20% of respondents shared an email account password
  • 15% of respondents use a password manager

Unsurprisingly, work password hygiene fares no better. The workplace, however, comes with an entirely different set of problems. Many users need access to applications, know their coworkers have access and ask them to share passwords for easier access. According to a March 2019 TechRadar article:

  • 34% of respondents share passwords or accounts with coworkers
  • 22% of respondents admitted to reusing the same password on multiple work accounts

In other words, sharing passwords and using commonly known risky passwords continues to be a problem.

A Real-World Hypothetical

Organizations seeking to reduce fines and lawsuits arising from increasingly stringent consumer privacy laws need to secure their systems and data at the human level. Poor password hygiene does more than increase cybercrime risk. It also increases privacy risk, especially as new regulations tighten the definition of “privacy” from acquisition to access.

Looking at the changes made under the NY SHIELD Act, good faith access by an employee requires that the information not be subject to unauthorized disclosure. Any unauthorized disclosure, however, is never defined. To give a hypothetical example that incorporates password hygiene, consider the following:

  1. Employee A requests the email address of a customer
  2. Employee B is busy and gives their Customer Management System password to Employee A
  3. Employee A not only accesses the original email address but also gains access to other customer information that is not necessary to their job function

This hypothetical could be considered a data security breach under laws like the New York Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act which states:

“Breach of the security of the system” shall mean unauthorized ACCESS TO OR acquisition OF, or ACCESS TO OR acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of [personal] PRIVATE information maintained by a business. Good faith ACCESS TO,  OR acquisition of [personal], PRIVATE information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.

Under NY SHIELD, the above password sharing hypothetical impacts both privacy and security because no viable business objective underlies Employee A’s access to all the information that the password sharing provides. In fact, even though Employee B should have access, the fact that Employee A lacks the password and authorization necessary to gain access, even without acquisition, makes this a potential compliance violation.

zero-day vulnerability privacy data
Password hygiene from a clutchability perspective means not only enforcing strong password or passphrase requirements but ensuring that all users understand the multifaceted risks associated with it.

Understanding the “Clutch Power”

While it might seem juvenile to build cybersecurity and privacy policy initiatives around something considered a “children’s toy,” the LEGO system’s engineering innovation provides the basis for the stability of what people build with the bricks. When LEGO first started producing bricks, the tops had the ubiquitous pegs, but the bottoms lacked the current “tube” structure. Children could build square towers, but the bricks’ instability limited their creativity. In the 1950s, LEGO created its now-famous “systems,” bricks that incorporated a patented design that could be designed in a variety of ways to meet the builder’s creative needs. The company refers to this system of pegs and tubes as “clutch power” or “clutchability.”

What is “Clutch Power”?

A 1983 Washington Post article by Peter Osnos, provides the following definition of “clutch power”:

the grip that holds one piece to another. Measurements have to be exact down to minute fractions of an inch, which requires high-precision machinery and closely monitored quality control.

From a functionality standpoint, the “clutch power” means that structures remain stable when bricks protrude at odd angles. By enabling designers to expand the shapes their designs took, the “clutch power” enabled the company’s market success.

The Clutch Power of Password Hygiene for Data Security and Privacy

The LEGO systems’ clutch power drives its business model. Innovative at the time, the company’s approach to building the toys, and its dedication to precision has made it one of the most successful companies in the toy industry. When looking at the bricks themselves, the design that makes them functional arises from no single aspect – not the shape, materials, existence of pegs or tubes, length of pegs, or depth of tubes – but from the design as a whole.

Creating a culture of both security and privacy works the same way.

Password hygiene from a clutchability perspective means not only enforcing strong password or passphrase requirements but ensuring that all users understand the multifaceted risks associated with it. Whether it’s from brute force attacks or shared passwords, lack of password hygiene leads to both security and privacy compliance violations. Looking at the two as separate issues in a digitally connected world fails to properly secure data or protect privacy.

By embracing the clutch power of privacy and security, organizations can create a more robust data protection program that enables them to remain financially secure. 

Applying “Clutch Power” to Security and Privacy Compliance

Just as the LEGO bricks must be taken holistically to provide the optimal “clutch power” building experience, organizations must create holistic privacy and security programs with the clutch power, or ratio, of technology, policies, procedures, and user knowledge to secure their future financial success and build cyber sustainable digital transformation strategies.

Similarly, privacy and security work together to create a more holistic approach to preventing data breaches and protecting customer information. While privacy compliance requires managing users’ access to and within IT ecosystems, security concerns around password hygiene also limit the potential for stolen credentials.

Addressing security separate from privacy, or vice versa ignores the deeply integrated way in which users interact with IT systems and how malicious actors exploit this gap as organizations look to meet compliance mandates while often considering these separate initiatives as divergent compliance initiatives. For a holistic approach to mitigating cyber threats, organizations need to consider the overlaps between privacy and security compliance purposefully to protect themselves from data security incidents and privacy compliance violations.

What do you think about password hygiene, security, and privacy? Let us know in the comments below or on Twitter, or Facebook. You can also comment on our MeWe page by joining the MeWe social network.

Comments
To Top