Computer security has existed since the very first computer hackers in the 1960s and 1970s began exploring mainframe computer systems via purloined dialup modem numbers. Since that time, the world has stored more and more of its critical information in electronic format in digital repositories—and hacking has become more and more sophisticated. Today, hacking is an important form of corporate and state-sponsored espionage, and preventing unauthorized system intrusions is both critically important and an ever-growing business.
Computer security has come a long way since the very first password systems were developed and put in place. Today, for example, organizations are encouraged to segment their various systems so that an intrusion into one server or system doesn't necessarily compromise all other devices on the network. Each segment is typically separated by additional security, so that a stolen password cannot provide access to more than one server or system. Thus, system users often need separate passwords to log onto their corporate computer network, their work email account, internal intranet/SharePoint site(s) such as case management systems, HR systems, timekeeping systems, and travel reservation sites—just to mention a few of the internal systems found inside a typical organization.
In addition to segmenting an organization's networks, passwords themselves have been made much more difficult to crack. The days of passwords like "password" and "qwerty123" are over, and most systems today routinely require passwords that contain a mixture of upper and lower case letters, one or more numbers, and one or more special characters such as #%&*!. Some systems even generate passwords to prevent users from using such obvious and easily guessed passwords as "Qwerty123!." Most systems now require that users change their passwords every 60-90 days so that any misappropriated passwords quickly become obsolete and nonfunctional. And, to discourage automated brute force hacking attempts, most systems are now configured to lock out any user who enters an incorrect password three times in a row.
Properly implementing these basic computer security best practices can make it much more difficult for hackers to gain access to an organization's full information. However, these same best practices also make it more difficult for authorized users to access the information that they need to perform their work. It's extremely difficult, if not impossible, for users to remember auto-generated system passwords like "F%mc#!L;cvb)". Even more important, it is less and less possible for users to remember the many unique user ID and password combinations that they need to access each tool or network segment as part of their ongoing job duties.
Faced with these logistical challenges, too many computer users choose to become highly unsecure users—just to complete their job-related tasks. Some write down all their system-specific user IDs and passwords because they simply cannot remember them all. Others try to use the same password to access multiple systems, so that they have fewer unique passwords to remember and manage. Worst of all, some users get so frustrated by their work-related security that they forward work-related and/or sensitive documents to an unsecure location such as Gmail or Yahoo! mail so that they can work on them using computers and systems not subject to an organization's security measures.
In short, when computer security is pitted against the actual everyday business objectives of an organization's employees and staff, robust computer security can be compromised by the very people whom security is supposed to protect—and compromised even before an organization is the target of any actual hacking or phishing schemes. Shouldn't there be a better way?
Improving the Computer Security Customer Relationships
Computer security is premised on the idea that both intruders and employees should be prevented from accessing areas and information for which they are not authorized. By its nature, this policing requires a somewhat militant and antagonistic outlook, and this can create deep mistrust between security professionals and the users who are being protected by the security measures. In this context, users also push back against what they view as arbitrary or overreaching security measures.
Security measures are challenged (and compromised) by users most often when they are difficult to implement (e.g., 20+ passwords) and when the users disagree with the need for these protections. Thus, computer security would benefit from addressing two separate concerns: (1) managing the technical and logistical burdens of necessary computer security; and (2) educating users so that they understand and accept the reasons that security measures are needed.
A. Managing Security Technology
One of the biggest user complaints is the need to use different credentials to log into different systems at work. Two current technologies are being used to help manage that burden. For example, some organizations have concluded that a two-factor authentication system, which combines a password with some unique physical object like an ID card or an RSA token, is sufficiently secure that it can be used to authorize access to multiple systems and tools. Users may have to log in more than once, but always with the same credentials. Other organizations have permitted users to organize their different passwords using password management tools like LastPass (https://www.lastpass.com) that store a user's many different passwords on a securely encrypted server and let a user access and deploy them through use of a single master password. These services rely on the security and integrity of the master password repository, though, which are themselves a constant target for hackers.
A third approach, passphrases, creatively extends existing security practices. In general, the longer the password, the more combinations are possible and the more difficult it is to guess. However, many user passwords aren't random—they are instead based on actual words or significant dates, making them easier to remember (but also easier to guess). Pure gibberish passwords like 5HM%#Z9v are much harder to guess—but they are also quite hard for most people to memorize, especially if they must be changed every 30-60 days. Passphrases combine elements of both approaches, asking users to create a random phrase like "Amydrives7purplegoatsvividly?" that is both memorable yet nonsensical—and that will then be used to authenticate users as they access different systems and tools at work. Not all systems presently support passwords that can be extended to passphrase lengths, but this is a promising, user-friendly approach, even when passphrase rules are set to require the inclusion of upper and lower case characters, numbers, and one or more special characters.
B. Educating the User Community
Many computer users don't fully understand why computer security is so necessary. While most users understand the problem of computer viruses and automatically take steps to reduce that particular threat, far fewer understand the number of intrusion attempts that are routinely made against organizations. In 2003—ancient history by Internet standards—a frequently cited study estimated that as many as 25 billion intrusion attempts per day were being made across the Internet.2 In 2013, it was reported that the Pentagon estimated it was deflecting 10 million intrusion attempts per day, and some have criticized this article for understating its numbers.3 These are powerful demonstrations of the need for robust computer security.
Large corporations, the NSA, and the Pentagon are not the only attractive targets for hackers. Law firms are also extremely attractive targets, as they often store sensitive client documents relevant in legal disputes or are supporting clients in business deals that have not yet been disclosed to the general public.4 Information about the need for strong computer security is readily available, even if not necessarily widely read, and it would greatly benefit in-house computer security teams if more of their users understood the true number of threats being deflected by their organizations' security measures.
Computer security is a frustrating necessity for modern organizations. We need it, even if we don't necessarily like it. However, security should not prevent the employees of an organization from doing their jobs, nor should computer security become the primary focus of every single organization, prioritized over its "real" purpose. In return, end users shouldn't try to affirmatively subvert reasonable computer security measures, simply for the sake of their personal convenience. In the end, organizations include both end users and security professionals; we really are on the same team.
1. Conrad Jacoby is an attorney and consultant who provides technology and e-discovery counseling to a diverse range of clients. He also manages over 30 unique user ID/password combinations for his work and personal life. This article represents the personal opinions of Mr. Jacoby and does not constitute an official position held by any of Mr. Jacoby's clients or employers. Copyright 2016 Conrad Jacoby. All rights reserved.
2. Yegneswaran, Barford, and Ullrich, "Internet Intrusions: Global Characteristics and Prevalence," available at https://www.cs.usask.ca/ftp/pub/discus/seminars2003-2004/internetIntrusions.pdf.
3. Nextgov, "How Many Cyberattacks Hit the United States Last Year?" available at http://www.nextgov.com/security/2013/03/how-many-cyberattacks-hit-united-states-last-year/61775.
4. Matthew Goldstein, "Law Firms Are Pressed on Security for Data," New York Times, 3/26/2014, available at http://dealbook.nytimes.com/2014/03/26/law-firms-scrutinized-as-hacking-increases.
Back to Contents