World Password Day: Interview with Thomas Malchar on IT Security 2019
Mr Malchar, at the beginning of the year, another data theft shook us once again, albeit on a gigantic scale: 773 million e-mail addresses and 21 million passwords were hacked under the title Collection#1. How do you assess the causes of this current threat situation?
What is clear is that the number and complexity of cybercrime and hacker attacks have increased significantly in recent years. The dangers are as varied as they are numerous. They range from potential security gaps through cloud computing and the concept of the mobile workforce to social engineering and the classic of weak passwords.
Companies as well as private individuals still offer too many weak points, which often make it almost frighteningly easy for attackers to gain access to sensitive data. Especially with Collection#1, so many passwords could be uncovered in plain text because many users still use the same combinations of email addresses and passwords for multiple services.
According to the BSI, the threat situation for digital data has also reached a new high.1 What role does user behaviour play in this?
The safety requirements for the user are no longer the same: The number of websites, apps and thus accesses and accounts per user continues to grow. Managing these securely is almost a mammoth task for the individual.
As the demands on a strong password increase, users remember only one to three passwords and use them for multiple applications. Or they use Excel lists, Post-ist and Co. instead of a password manager. This can have different reasons like ignorance, but also unfortunately laziness or a lack of alternatives. By the way: The most popular password for 2018 has been “123456”.
Which mistakes are made by companies when dealing with IT security?
In the digital age, companies want to make data access as easy as possible for their employees and business partners. Therefore, security gaps are often better accepted than to deal with complex software or employee complaints. Often the mistake is made to combine different services instead of a holistic security concept and thus unnecessarily complicate the security situation.
Furthermore, employees are not sufficiently trained in the new system landscape or even integrated. The result of this behaviour can be measured in figures: The estimated costs incurred by companies in 2018 as a result of cybercrime incidents have risen from 20 to over 27 million US dollars in the USA alone compared with the previous year.2
What would you advise companies to do?
The solution is to provide a central platform for authentication that flexibly manages all accounts and accesses and can combine different methods. Moreover, the best tool is of little use to companies if it is not used uniformly. Because effective password management means making a system available to all employees across departments in which security and user-friendliness go hand in hand.
For more than 20 years, Password Safe has functioned as a point of trust for our customers, where all processes converge securely and in a controlled manner. In order to really get every employee on board and securely integrate them into Password Safe’s IT infrastructure, we have also been offering the LightClient for every end user since version 8.7.
The Human security gap: To what extent do your own employees pose a risk to companies?
The human being is still the biggest safety factor in companies. If one thinks of data theft, the image of a hacker usually appears in front of the inner eye. In fact, the greatest danger of data theft in their own ranks lurks among the employees. Employees who receive money to pass on company data or who deliberately want to harm the company because they have been dismissed, for example, represent a considerable company risk. That is why Password Safe protects privileged accesses, for example, using the multi-eye principle and logs all processes.
Let’s talk about the future of passwords on World Password Day. How will classic password management develop?
Only the user name and password as login protection are no longer sufficient to protect user accounts from unauthorized access. The next level of identification at Password Safe will therefore be passwordless authentication with services such as SAML, which we will integrate into the LightClient among other things.
A second factor for additional user identification is also becoming more and more essential in password management. There are possibilities for multi-factor authentication such as USB sticks, biometric procedures or PINs like sand on the sea. In order to secure our services, we also use multi-factor authentication via security services such as the Google Authenticator, the RADIUS interface or Yubico.
Last but not least: How does Password Safe adapt to growing security threats?
Password Safe has the necessary functionalities to provide a dynamic security solution that meets the needs of companies of various sizes, thanks to our in-depth technical expertise. Because what makes our software special is the multitude of functionalities. Password Safe can be tailored to any company in four available editions – regardless of the industry, from start-ups to large corporations.
1 Cf. Federal Office for Information Security, Management Report 2018
2 Cf. Statista, Survey 2018