Friday 21 November 2008

IT Managers 'Pass' on Managing their Security Confidently

Passwords are the most basic element of any IT security system, yet recent research findings revealed show that many organisations are still tripping up at this first security hurdle.

According to new research into "password management" conducted by Cyber-Ark Software, specialists in 'Digital Vaulting' approximately half of IT managers employed in the largest organisations are not very confident that administrative passwords are stored securely.

The research also found that not much has changed, when it comes to securely storing user passwords, with IT managers estimating that 19% of their colleagues still keep their passwords on post-it notes.

The research was carried out at Infosecurity Europe 2005 - Europe's largest IT security event, to find out how securely companies are storing and managing their administrative and user passwords.

It was conducted amongst 175 IT professionals with a quarter coming from organisations employing over 5,000 people.

Less than a third (32%) were storing passwords digitally. The remainder continued to use labour-intensive, manual processes, including paper copies stored everywhere from locked cabinets to physical safes which hinders efforts for regular and on-demand resetting of passwords.

Considering that administrative passwords are the "keys to the kingdom" and give access to the most confidential information on the network which is often seen as one of the major risk factors that can lead to internal fraud, it is alarming to note that:

• nearly 10% of companies never change their mission critical administrative passwords and
  
• 5% don't even change the manufacturer's default password on their systems.
  
  Other findings revealed:
  
  • 14% still keep administrative passwords in an excel file - which is known to be insecure.
    
  • 25% of IT staff can access administrative passwords without permission.
    
  • 15% of large organisations never have their security practices audited.
    
  • 62% of companies have now seen an increase in auditing of their security practices due to recent legislation.
    
  • 14% have no password change management policy, which means they have no way of controlling who has access to systems
  .
  
  One IT security director who was interviewed for the survey admitted to keeping all the administrative passwords in his mobile phone explaining that he thought this was "a very safe place".
  
  His IT security colleague standing within ear-shot commented: "Wait till I tell the guys back in the office, you'll never live this one down."
  
  Tom Crawford, president and CEO of Cyber-Ark, said:
  "It would appear from this research that password management is still a major bugbear for many organizations with two thirds who are still relying on the old-fashioned method of physically managing and storing passwords.
  
  Because this process can be so time-consuming and laborious IT staff often circumvent the security processes which can then open them up to potential security breaches.
  
  However companies can now simplify the management of administrative passwords by using a digital vault which can securely automate administrative passwords in a cost-effective and efficient way."
  
  According to Keith Reeve, Manager Certification Authority & Access Control at direct debit processor Voca:
  "Using a 'digital vault' for password management has resulted in the replacement of the physical safes previously used to store over 800 administrative passwords and redeploying staff dedicated to administering passwords.
  
  It has automated a potentially insecure and immensely time-consuming process of storing and managing administrative passwords."
  
  When choosing a system to provide a digital vault for your passwords, one should look for features such as:
  
  • Centralised granting & revoking of access to administrative users
    
  • Centralised frequent & automatic changing of passwords for all administrative users on a regular basis or upon access
    
  • Making your administrative users available organisation-wide to on-call administrators and support staff
    
  • Tracking the use of each and every administrative user
    
  • Ensuring long-term availability of all administrative users and their passwords so that every device and product can be reconfigured, even years after installation
    
  • A remote copy of all passwords of administrative users for disaster recovery purposes.
  
  
  
  Further information
  Infosecurity Europe 2006
  
  
  Related article
  Kids in Care get IT Care
  
  Obesity Problem has Security Implications

---

To find a business you can trust, click on the related categories below:

• Buildings / Estates & Facilities / Housing
• Central Government
• Charities / World Events / Voluntary Sector
• E-Government
• Education
• Environment, Regeneration & Sustainability
• EU
• Financial
• General Life
• Health / Community Care
• Health & Safety / Risk Management
• HR / Recruitment / Unions
• Industry News
• IT / Communications / Internet
• Legal & Consumer Affairs
• Local Government
• Procurement
• Transport