Humans Continue To Be "Weak Link" In Data Security

ChiefMonkeyGrinder writes "Nearly 90 percent of IT workers in the UK have said a laptop in their organization has been reported lost or stolen, new research has found. Sixty-one percent said that this then resulted in a data breach, according to the '2010 Human Factor in Laptop Encryption Study: United Kingdom,' a report produced by the Ponemon Institute for Absolute Software."

Not a great thing.

[FlyingBishop]

None of the IT workers recorded their password on a private document, but three percent did admit to sharing their key with other people.

You keep your password on a private document in your pocket, you can use a stronger password, and it's a lot harder to lose both your laptop and your password.

If you do lose one, it's easy to take steps to blacklist the other. You can even use some trivial obfuscation in recording the password so that even if someone gets it, they won't be able to figure out your password.

Example:

awfuieri3v
4u9388535v
v9tv379vn7
mc20884v05

That's just gibberish, but I could easily write that matrix down on a piece of paper, and then pick a path to take through it(it doesn't even have to be a complicated one, for example I could just use columns 2, 4, and 6) and there's not really much chance that someone's going to find my password. Of course there are even better examples where it's not even obvious that you're looking at a password matrix.

Re:Maybe they should tie them to thier wrists

[Elky Elk]

In the summary it states 9/10 know of a laptop in their organisation being lost. The organisations in question could have thousands or tens of thousands of laptops.

Re:Maybe they should tie them to thier wrists

[bkr1_2k]

It doesn't say 9 out of 10 lost or stolen. It says 9 out of 10 people reported that a piece of equipment has been lost or stolen within their organization. There's a big difference between those two statements.

Of course the issue still remains, people are always going to be the weakest security link. This should come as no surprise to anyone. It has always been that way, and always will be.

Re:Security Failings

[buruonbrails]

It's because people tend to think of their passwords as words, not phrases. It's much easier to remember a simple pass phrase (e.g. "Quick_brown_fox"), than a shorter, but completely senseless random symbol combination (e.g. "gsf12mU&*").

Re:Encryption and you

[Kaldesh]

Actually we've run into that. But That's a violation of HIPPA (Health Information Privacy and Portability Act), and if you find your users doing something like that in a medical environment? It can mean very serious action is taken. We actually had one person refuse to 'not' use post-its.. and they where let go from the organization. And I mean honestly in the grand scheme of things, you're adding one password to your daily computing life, that will ultimately save someones butt if their PC gets stolen. Where I work, most of the Doctors are grateful for that extra layer of security. They know that if patient data was leaked, on their watch? It would likely mean their jobs, a black mark on their names in the public, and a lot worse for the organization they work for. I'm sure its similar in other fields.

Well..... Maybe

[Sycraft-fu]

If you know nothing about the password at all, yes it can be more secure. However, if you know it is a passphrase, then you can work on it as such. Rather than brute forcing using character combinations, you use work combinations. Maybe your program also has grammar rules in it so it can make more intelligent choices in words. Of course against that you can start doing letter substitution but then you start having complexity problems again and so on. Also there's the problem of someone finding out your password, if it is very complex even if they see it they may not be able to remember it, but a phrase may be no problem. Etc.

What it comes down to is there's only so secure a password can be. How secure largely depends on the individual. Some people can handle long, complex, passwords. Others need things real simple.

Hence why, as I noted in another post, if the data you are securing is really so important, get two factor security. You can't force humans to be good with passwords so don't try. Use passwords as a part of a better security solution.

Re:Why allow imporant data on laptops at all?

[Anonymous Coward]

Plus, the junkie is selling it to someone, and people who want to look for data might be willing to pay a significant premium over people who just want a cheap laptop. Junkies aren't completely stupid - they'll sell the machine to whomever is willing to pay the most.

I occasionally recycle old machines and give them to people. The local dump frequently yields good "parts" machines or often fully-working machines that are just too slow (frequently high-powered machines that are only slow because the former owners didn't run Antivirus and allowed malware crud to build).

One very memorable find was a couple of HP Pavilion desktops, in perfect condition except the former owner cut every single wire inside the case. He didn't actually damage anything, just took snips and cut each of the power supply lines, the IDE cables, and the control lines to the motherboard. I replaced the power supplies and the IDE cables with spare parts, soldered the control lines, CPU cooling fan wires, etc back together, and booted the machines with no problems at all. Half hour each, tops.

One of them contained a copy of QuickBooks Pro with the entire financial history of a local company, including all the W2 information of all of their employees for at least a decade, their bank and credit card account numbers stored in IE (with cached passwords), and all sorts of goodies. The owner of the company also had a really bad porn habit, and downloaded a lot of movies and music. Were I a black hat, I could have completely owned his business. Given the questionable age of some of the subjects of the porn, he might even have been facing something far more serious.

Normally, I would have preferred to just wipe the machines and start over, but Pavilions used a recovery CD at the time, and even though I had a serial number on the case, I could not get Windows to install fresh. I had to "clean up" the existing version before giving the machines away. Those two machines took a while - they hadn't had Antivirus in years, and I didn't dare connect them to my Internet connection to download cleanup tools (I didn't even dare put a USB stick into the things, they were so badly infected).

Lately I've been just wiping them from an Ubuntu CD and offering them with Ubuntu preinstalled. It's just easier, and I don't have to look at the stupidity any more.