Modernizing Authentication — What It Takes to Transform Secure Access
When was the last time you answered a work-related email from home? More likely than not, your answer is “today.”
The lines between our working lives and our personal lives are blurring. And the blurring isn’t coming from just one end. Many of the same people who tackle emails in bed are likely to sign into Facebook and Twitter during work as well.
There have been countless debates on whether unfettered social media access boosts or hinders employees’ productivity. Thus far, the research favors access. However, even employers who aren’t convinced should acknowledge two certainties.
First of all, discouraging social media use is often ineffective. Last April, Microsoft conducted a global survey of about 9,900 information workers and found that 28 percent of them knew co-workers who had disregarded IT policies and installed social tools on their computers or phones; 16 percent admitted to doing so themselves.
HootSuite's blog also provides anecdotal evidence. Recently the popular social media dashboard tweeted the following question at its 5 million followers: “Are you allowed to use social media at work?” About a quarter of the respondents said no—by using Twitter.
There’s even an entire website devoted to helping people use social media under the radar by making their Facebook or Twitter feeds look like spreadsheets.
Second, the way people use social media and email can seriously compromise the security of the enterprise’s network and information. Last May, IObit, a system utility and security software provider, surveyed 10,000 people around the world and found several surprising trends. Thirty percent of the people surveyed use the “Keep Me Logged In” option on their social media accounts. 45 percent of the people surveyed change their passwords only after being prompted, and 15 percent don’t change their passwords at all.
Unfortunately, staying logged in makes it easy for hackers to access your sensitive information and control your account or computer from afar. When a user logs in to, say, a LinkedIn account, that user starts a session. As long as the session is active and the user is communicating with LinkedIn’s server, a hacker can jump in and communicate with the server on the user’s behalf, allowing him to impersonate the user or send the user malware.
Disconcertingly, McAfee’s Threats Report from the most recent quarter claims that there has been a significant jump in general malware—including stealth malware, which is capable of doing a lot of damage before the user detects it.
Whether your workplace is a social networker’s paradise or a place where Facebook use is frowned upon, it’s worth acknowledging the threats brought on by social media and Web-based email use. For the most part, minimizing these threats requires just a few extra precautions.
Use Two-step Verification
The importance of two-factor authentication was highlighted several times in the last few months. On April 23, the Syrian Electronic Army hacked into The Associated Press (AP) Twitter account and tweeted, “Breaking: Two Explosions in the White House and Barack Obama is injured.” The consequences of this tweet were very real: the stock market crashed for about a minute. On May 6, the same group compromised The Onion’s Twitter account.
You don’t have to work for an internationally known publication to be concerned about Twitter hackers. A hacker who gets into a user’s account might not post fake tweets at all—the hacker could just quietly snag the user’s password.
A compromised workplace email account could have even worse consequences. The hacker could use the account to send viruses to other employees, causing excessive network traffic and impacting mission-critical activities. The hacker could also steal competitive information and financial data.
In the aftermath of the AP scandal, Twitter wisely began offering two-factor authentication. (At that point, it was already an option on Facebook, Google, WordPress and many more sites.) The process is simple: once a user enables this feature on the account settings page, Twitter sends her phone a text message with a six-digit code every time she wants to sign in. Following Twitter’s example, LinkedIn added two-factor authentication at the end of May.
Enforcing a policy of two-factor authentication is easier than banning social media use. The key is to educate employees on why it’s important.
Educate Employees about Phishing
You might be wondering how the Syrian Electronic Army managed to hack into AP and The Onion. In both cases, the group used a process called phishing.
In this process, a hacker sends an email to a user with a forged sender address. The email contains an innocent-looking link. If it’s one of many emails you’ve been reading all day, why would you doubt it? In most cases, the link takes the user to a website that looks legitimate, and the website asks for a username and password. If the user enters it, the hacker suddenly has that user’s information. In other cases, the link could direct the user to malware.
Employees should know that there’s a simple way to recognize phishing. If a message is unexpected and the link seems fishy, a user simply needs to hover over it: at the bottom left of a Web browser’s status line, one can see where the link actually leads. Employees should also be encouraged to report all fake websites to MarkMonitor, a company used by Facebook. MarkMonitor adds fake websites to blacklists or gets Internet service providers (ISPs) to take them down.
Promote Good Password Hygiene
This last step is the simplest of them all: Encourage employees to use strong passwords for more than just their bank accounts. Hackers use programs that break passwords by trying many different combinations. If a user’s password includes more than simply lowercase letters—if it includes uppercase letters, numbers and symbols as well—it’s exponentially less likely that a program will break it.
Employees should also be reminded to change their passwords periodically. Changing your password does not prevent you from becoming a target, but it does make you a moving target instead of one’s that’s simply standing around.
IT security can get very technical, but these basic steps are easy to follow. As long as employees employ these practices when using social media, employers can go back to simply worrying about whether people are being productive.
Maya Itah is a writer and editor specializing in technology and public policy.