Today’s cyber security landscape is becoming increasingly treacherous. Attackers are highly sophisticated, well-organized and relentlessly probing weaknesses in network and application security in order to gain access. One of the foremost ways of attempting to ensure data security is through the use of passwords – but even this method is no longer effective. Passwords can be shared, stolen or easily guessed, as well as difficult to manage and are therefore a weak form of identity management.
Many businesses may be drawn towards passwords, as they, in theory, offer a “cost-free” means of protecting data. After all, a company is not in business to be secure; it is in business to be profitable. However, when considering any security technology to help mitigate risk in a business, it’s important look beyond the acquisition costs of the safeguards and consider the ongoing expenses associated with the deployment and management of the system.
Let’s take a deeper look at these costs and how to cut back on them.
The Hidden Costs in Password Security
Acquisition Costs
One of the biggest advantages of traditional password systems is that they are typically provided “free of charge” within the operating systems and business applications being used. They generally do not require any extra hardware or software to be used by the end user, and therefore appear to be more cost effective than stronger authentication systems. Stronger authentication solutions, on the other hand, require the purchase of hardware authentication tokens and a yearly software subscription for each user.
Remember though that the acquisition cost is only one of three factors that help to determine the real cost of ownership of the solution. The costs to deploy and manage the system must also be considered.
Deployment Costs
The first expense that relates to the deployment in passwords is in the creation of user accounts across different systems. Depending on the sensitivity of the information on the system or application being used, this may be as simple as adding a user, or as complex as requiring a full policy management process to be followed. For example, although it may be quick enough to add a user to an Active Directory system, that same user may also need to be added to the CRM system and have rights assigned to the company intranet.
Management Costs
The third and most considerable expense of password security is the ongoing cost to administer and manage the system. There are two separate categories of expense that need to be considered when managing the system – first, the lost productivity that occurs when a user is unable to perform their job duties due to an authentication problem, and second, the resources consumed by the company to resolve the problem and implement the solution.
The productivity loss that an employee faces when not able to perform their duties is compounded by the lost productivity that other people involved lose when solving the problem. To be a good investment to the business, an employee must return value in excess of his or her cost. So when an employee is fully involved in the process to fix a password problem, there is the cost of their lost wages and of lost productivity of perhaps this much again. When IT staff is external to the business, these costs can be even higher when action is needed during no peak times or after hours.
It’s one thing to evaluate the cost to address a single password issue, but the real insight comes when we look at the costs over the year for all employees. Over the course of a year, a user is exposed to many opportunities to forget their password. After long periods of absence such as holidays and vacations, a user may forget their password or it may expire. After any sort of password change, there is a good chance some users will forget their passwords. If these opportunities are compounded by strict password policy procedures that force frequent changes, the chance of forgotten passwords will be unavoidable. A typical user will likely cause multiple incidents in any given year.
Clearly, password security isn’t really “free.” In many cases, the price of strong authentication can actually be more cost effective than that of password security alone. At the same time, the total cost of ownership of strong authentication can show value-added benefits past initial cost savings; enhanced security and threat reduction can also help protect the business from new associated online risk.
The Alternative: Strong Authentication
Being able to significantly reduce the threat caused by weak password security can be of great value to a small business. Also contributing to the total cost of ownership are the new business opportunities that may be available with the deployment of stronger authentication systems that can provide better identity and access control safeguards. Stronger authentication systems can help small business lower management costs, meet compliance objectives, and reduce risk to acceptable levels.
Lower management costs
The use of strong authentication can drastically reduce the expenses incurred through maintaining and managing user credentials by allowing users to never worry about forgetting passwords again. Each time they log onto a system or application that uses strong authentication, they can use their authentication token, in combination with their personal PIN, to generate the passcode as it’s needed.
In areas where passwords cannot be completely replaced with strong authentication passcodes (such as within Active Directory), the management costs can be reduced by allowing the password complexity policies to be relaxed for the traditional password, and augmented with passcodes available in the strong authentication system. This allows small businesses to leverage their existing infrastructure while still adding stronger authentication where appropriate, ultimately reducing management costs and increasing the security effectiveness of technical safeguards use.
Meet compliance objectives
To address concerns with an individual’s rights to privacy, leading industries and various levels of government have been forced to mandate (through legislation and regulation) strict standards to ensure personal information is protected at all times. Failure to comply with these laws and regulations has the consequence of fines and possible legal action against the offending company. By requiring strong user authentication before allowing access to critical business resources, small businesses can meet the objectives of most compliance regulations and offer assurances that only authorized personnel will gain access to sensitive information.
Reduce risk to acceptable levels
Breaches in security are becoming more common as more companies move many of their business processes online. It is not worms and viruses that are causing the greatest amount of damage, but unauthorized access by untrusted users. By using strong authentication, not only do you reduce the risks of traditional password security, but you prove the identity of the user before granting access to critical business resources, and the sensitive information within.
When we consider all of these factors, it becomes clear that the hidden costs of “free” password security actually outweigh the costs of implementing strong authentication, and offer far less protection. Unlike traditional password management systems, strong authentication delivers the appropriate safeguards to increase remote access productivity while reducing online risk and the associated operating costs.
Read more at http://www.business2community.com/tech-gadgets/passwords-cost-business-01075997#Y60o2giUFvLO7qCT.99
