In the classic comedy “Groundhog Day,” weatherman Phil Connors, played by Bill Murray, must repeat the same day of his life over and over again until he finally changes his ways. It feels uncomfortably close to home to watch Murray’s character repeat the same routine, and make the same mistakes, until he finally takes a hard look at his habits and makes real, lasting change.
The trope of reliving the same day has been a popular one in Hollywood, from “Groundhog Day” to Tom Cruise’s “The Edge of Tomorrow” to “Russian Doll.” The point is that we’re trapped by our habits and the growth required to break out of them is fraught with complexity.
Security experts know this struggle firsthand. Hundreds of high-profile cyberattacks occur every year – and will continue to occur – because consumers and enterprises face the considerable challenge of adjusting habits and processes across the dozens of cloud software applications we use every day.
The 2019 Verizon Data Breach Investigations Report (VDBIR) highlights various bad security habits that, apparently, we can’t quit. These include:
- Clicking on suspicious links: 32% of all breaches and 78% of cyber-espionage attacks were caused by phishing, with 90% of malware transmitted via email.
- Reusing passwords: We continue to use the same password across multiple sites. This leads to the growing practice of credential stuffing, in which attackers can easily find or buy password and username combinations, then take over accounts by using automated programs on selected sites until they work. The 2019 VDBIR found that 29% of all breaches involved stolen credentials.
- One prominent example is the infamous Dropbox data breach of 2016, when upwards of 68 million user credentials were stolen – all because an employee reused a password at work.
- Creating short, simple passwords with no special characters: Weak and easily compromised credentials accounted for 80% of hacking-related breaches. Among the password catastrophes that continue to thrive today are “password,” “123456” and “iloveyou.”
The shadow (IT) lurks
Habits are also at the heart of shadow IT, the practice whereby workers use apps, tools and other software not sanctioned by the enterprise. A whopping 63% of survey respondents admitted to creating accounts without the knowledge of their employers’ in-house IT organizations, and fewer than 3% used a unique password when doing it. This is why many have mixed feelings about this issue because while your IT department may not handle the infrastructure or management of third-party services, it still holds the burden of ensuring security and compliance for the data that’s transmitted through them.
This doesn’t mean that Shadow IT is bad — after all, people are going to use whatever software they want, especially if they think it will make them better at their jobs. And getting access approved by IT throws a wrench in our goal to move at the speed of business and stay ahead of the market. But since attacks on enterprises from untrusted sources can expose personal information for millions of people, the best practice for IT departments to find a way to educate the enterprise and change the password habits that are the root of the problem.
Better tools make for better behaviors
Faced with seemingly endless hair-pulling turmoil in Groundhog Day, Phil Connors looked inward to change how he treated people and ultimately break the cycle. Likewise, there are a few things we can do to change bad password behavior. Crises can do the trick — the threat of COVID-19 is reshaping public life at the moment. But a far less stressful strategy is to provide solutions that save time, cost and hassle – and even offer an element of delight. For example, few, if any, of us still use a physical map in the era of traffic-optimized smartphone navigation. In that vein, IT departments should embrace technologies that focus on incredible user experiences, not just on complying with enterprise requirements. Here, it helps to look at technologies that are already popular with consumers and have achieved rapid uptake.
Consider that biometrics, enterprise password managers (EPM), multi-factor authentication (MFA) and single sign-on (SSO) have all become common parts of life for consumers, integrated into products from Google to Apple that we use every day. They’ve changed our habits because they’re easy, making adopting new behaviors both the secure and even lazy thing to do.
CISOs and IT departments already face numerous uphill battles to roll out new security protocols amid the ever-changing threat landscape. Reviewing and selecting a solution; securing budget; making sure the solution is customized, integrated and deployed; and then making sure employees actually use the technology is all a gigantic headache. Rolling out enterprise-grade consumer-friendly technologies helps to eliminate that last obstacle and may fix a few more issues too (like winning more budget).
Making it easy to be our best
A new wave of technologies is making it far easier for us to change habits and be our best – from fitness trackers that motivate us to get off the couch to apps that tell us how much time we spend on our phone. Harnessing these apps is vital to convert employees from sources of risk to security superheroes and break out of the Groundhog Day repetition of easily avoided breaches.
Matt Davey, Chief Operating Officer, 1Password