Is IT Losing the Battle to Keep Security Devices Safe?
It’s not just the loss of smartphones and laptops that keep security administrators busy. According to a new survey of 300 IT security professionals in London conducted by SecurEnvoy, enterprises are wasting resources “recovering and replacing lost physical authentication tokens.”
When asked to quantify that cost, “a staggering 12 percent of companies waste ‘months’” every year because of lost security tokens, and 10 percent said such tasks cost them “weeks every year in management time chasing and replacing physical tokens.” Some enterprises are luckier: 13 percent estimate the loss in days, and 16 percent said the cost was just a few hours.
One number in the survey popped out at me: 7 percent of companies report losing up to three-quarters of their tokens each year, and 14 percent of companies lose between 26 and 50 percent of theirs. The figure drops to 13 percent of companies with losses between 11 and 25 percent, and nearly a third (32 percent) say they lost 10 percent of their tokens. No wonder SecurEnvoy says the loss is in millions of pounds and calls the loss rates “galling.”
In a release, the company notes, “You really do have to admire the commitment of the 3 percent of respondents who confessed that between 76 percent and 100 percent of all physical tokens in their organization were being lost every year! When you think each token has an overhead cost -- averaged at £50 per token, that’s a lot of money to write off.” You bet it is.
Andy Kemshall, CTO and co-founder of SecurEnvoy, pointed out that “We advocate the use of mobile phones which can be turned into an authentication device eliminating many of the management costs associated with 2FA [two-factor authentication] systems. Our mantra is simple: authenticate anyone, anywhere, any phone -- simply and securely.” Of course, given the rates of cell phone loss, I’m not sure how much easier this will make a security administrator’s job.
The study examined password use and discovered that 57 percent of respondents “confirmed that a password is required as part of their ‘log-on’ procedure. While 78 percent of the sample agreed that using a secret question to secure a password is not enough, still a staggering 21 percent relied on this verification when a password reset is needed.” That’s not the worst of it: “Worryingly, an additional 10 percent didn’t know if they did or didn’t!”
Kemshall wisely notes that enterprises understand the risks of these password policies “yet they still continue with the practice in the blind hope that nothing will go wrong. With 2FA arguably the strongest realistic authentication option, it makes sense for it to be incorporated whenever a person needs to do something that requires them to validate they are who they say they are -- password resets being an obvious candidate.”
If IT wants to save money, Kemshall has a recommendation: “Users can now very easily reset their passwords, themselves, via a self-help Web page using a one-time passcode sent to their mobile phone. This method eliminates the average help desk cost of £14 for each password reset, but also allows companies to introduce more secure practices for everyday eventualities.”
-- James E. Powell
Editorial Director, ESJ
Posted on 07/11/2012