A very spirited virtual roundtable with a top-flight panel (run under the Chatham House Rule), explored the ways in the cyber security landscape has changed. With people working remotely where possible and conducting more and more activity online, the security perimeter has expanded significantly over the past year. From the attic to the kitchen table, many of us are working in environments where security measures are being tested and stretched.
Passwords still play a crucial role for many on the front lines of security. Yet they are treated in a laissez faire manner by many of us.
It was not all hardcore security talk, however, as the need to create customer experiences that were as frictionless as possible played an important role in the discussion. Good design can help ameliorate some of the ‘security’ challenges as considered and human centered experiences can work together with the need for security to meet the needs of diverse ranges of people.
Complex passwords simply do not work for many and a modern security industry has a lot to learn from both behavioural science and design. Otherwise, people simply find ways to bypass security-related friction – think passwords written in the notes section of your phone or those post it notes with the password jotted down near your computer. (guilty as charged and I have now deleted those from my phone).
The roundtable provided an update as to modern views of security. This is a continual challenge, and we learn to live with controls all around us. Things like multifactor authentication, a password manager, context aware measures (which are largely invisible to the user) and ensuring that people manage passwords effectively go a long way to dissuading those bad actors. Simple security measures to prevent engineering/technical teams from leaking credentials on public repositories as they are being scanned by criminals. If you let them in the backdoor then big challenges lay ahead. This is particularly crucial for start-ups who need to build trust with end-users.
Interestingly, a modern view on managing passwords which does not dictate what we are perhaps used to – being forced to change passwords on a scheduled basis and using the ubiquitous capital letter, character and a number is not the best way to go. Instead phrases from favourite songs and random words (think Monkey, House, Road) are far more effective. Again, I have already changed my approach accordingly.
Reflecting on the rules in the GDPR, not using effective policies and processes to manage things like passwords can lead to both significant fines and reputational damage. Password managers can remove the necessity for the average individual to remember an extraordinary 100 passwords. It is no wonder that approximately 73% of passwords are duplicates. A password manager clearly helps address that challenge.
Encryption, encryption, encryption, two factor authentication and using a password manager are straightforward takeaways from the discussion. Making your ‘garden wall’ that much higher than someone else’s can discourage many would-be criminals as they will move on to an easier target.
A potential passwordless future was also touched on. Biometrics will play a role but will not be solution for everyone. Not everyone will have devices that allow for that, for example. Inclusion, ethical considerations and privacy need very careful thinking. We are perhaps not there yet in terms of being passwordless by default. For the time being, reducing password fatigue and making that first line of defence stronger is important.
The roundtable also addressed the cultural divide in some firms between different parts of the business. Bringing key stakeholders together (eg marketing, product, sales and security) can go a long way in addressing the tensions between frictionless and seamless journeys for end-users and security. There is also a need for a modern, business centered approach to security. here were numerous examples of how to design great experiences for users whilst nudging them towards more security conscious behaviour. (Another top tip that I have acted upon, change the default password on your WiFi router).
We also came away with some great virtual swag (see below) and even a film recommendation that were suggested by speakers and participants:
- LastPass Psychology of Passwords report
- Have I been pwned?
- Cyber Aware – 6 ways to improve your online security
- Human Error’s Guide to Keeping Security Simple – Mimecast Security Awareness Training
The film recommendation: The Circle – available on Netflix. Our panel’s view was: ‘Great book, terrible film but interesting premise.’ It touches on the themes of privacy, ethics and security as highlighted by today’s speakers.
Unfortunately I can’t share all of the fascinating observations from the roundtable so you may want to make sure that you don’t miss the next one. The future of remote working on 25th March at 9:30am (GMT).