For all the talk about IT security, most end users are still their own worst enemy. They employ the same basic password time and again and have access to administrative rights most will never need. Invariably, when an end user’s credentials are compromised it turns out the damage done to the system can be directly attributed to the fact that they had administrative rights that enabled hackers to install malware on that machine.
Researchers at the Institute for Security, Technology, and Society (ISTS) at Dartmouth College are exploring the underlying causes of the recent data breach epidemic. Based on their findings thus far, the researchers are urging organizations to eliminate the use of legacy identity schemes based on username and passwords. The researchers say organizations should be using much stronger multi-factor authentication schemes instead.
Remove administration rights
At the same time, it’s clear that organizations should be revoking administrative rights. In fact, a recent report issued by Avecto, a provider of end point security software, found that 98 percent of all Windows vulnerabilities and 80 percent of all Microsoft vulnerabilities could be mitigated by removing administrative rights.
For their own sakes, it might be time for IT services providers to finally lead by example. Many IT service providers still rely on antiquated username and password combinations to provide access to their services. Worse yet, on the end points they manage the end user still has administrative rights to the system. Between those two issues alone, it’s only a matter of time before an IT service provider finds themselves dealing with an IT security issue that they are being blamed for “allowing” to happen.
Communicate security changes
Naturally, preventing that situation requires a deep conversation with the customer about why existing authentication and permission policies need to change. More often than not, the end customer isn’t even aware this is an issue. All they know is that their IT security was compromised. In fact, the idea that there were steps that should have been taken to prevent that breach from occurring in the first place never seems to occur to anyone.
The silver lining is that the increased volume in data breaches has senior managers asking some pointed questions about IT security. Their concern is not so much that there are vulnerabilities in the IT systems as much as it’s the realization that the company’s core intellectual property can be easily stolen. What was once a nuisance perpetrated by amateur hackers is now a multi-billion-dollar business operated by loosely knit organized crime syndicates and nation states where there isn’t necessarily a rule of law to be applied.
Take the lead
Obviously, there is no such thing as perfect IT security. But right now it’s pretty clear that most of the IT services being delivered today are by definition easily compromised, and the end point that consumes those services is a gateway through which all kinds of malware can be injected into a distributed computing environment.
All those security factors considered, IT services providers now have no choice but to lead by example and use more stringent security controls. Otherwise, anything that happens could arguably be considered reckless disregard on the part of IT experts who should have known better.