In-depth

Building a business case for password managers

Davey Winder ponders the best way for SMBs (and larger firms) to tackle the thorny issue of password security

Passwords have always been at the heart of data security policies, and often data security breach reporting as well. Be it the password re-use question, the too simple to crack versus too complex to remember debate, or, as I touched upon recently, whether passwords are old tech that should be sent to the security scrap heap.

The unravelling Heartbleed saga has brought the password problem to the fore once more for both enterprise users and consumers.

Wearing my small business security consultant hat, one of the arguments I often find myself on the receiving end of is that I shouldn't be recommending the use of password managers as a solution.

"They are OK for the consumer who has no business critical data to protect, but even then the adoption case is a marginal one in terms of the security they offer," I am repeatedly told by people who usually fall into one of two categories.

The first are security consultants who deal exclusively with the medium-to-large' bit of the SMB sector. No consultant in their right mind would recommend consumer-grade password manager software to this level of enterprise application. Just because they are not an acceptable fit with the bigger players, does not mean that the smallest enterprises cannot benefit from using them nor that they are inherently insecure.

This brings me to the second category: the password naysayers who want to sell you on some other method of authentication and access control. This second group will often use the 'all your eggs belong to us' argument. In that, putting all your passwords in one place creates a very attractive target for hackers.

I agree. If there was a compromise, it would be disastrous. Just like it would be if that small business was re-using passwords across services and one of them suffered a breach. Just like if the passwords being used were not strong enough to resist attempts to crack them. Just like so many data breach scenarios involve passwords.

Would I rather see every enterprise adopt tokenisation, multi-factor authentication method? Of course I would, but that ain't going to happen at the bottom of the enterprise sizing graph where money, time and technical knowledge are all too often in short supply.  

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

Cisco to acquire threat intelligence provider Kenna Security
Acquisition

Cisco to acquire threat intelligence provider Kenna Security

14 May 2021
What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

14 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
What’s next for the education sector?
Whitepaper

What’s next for the education sector?

14 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021