Every year Infosecurity performs a security-related experiment. They ask office workers questions about their passwords, where they work, what they do...then ask for their actual password. A shocking number of people hand it right over.
OK, so here's the question: Exactly how ignorant are they? The experiment found that out of 576 people questioned this year, 21% were quite happy to reveal their passwords in exchange for candy.
But maybe some of the dire news of late is sinking in, because that number is a heck of a lot lower than when the same experiment was conducted last year. Back then, a whopping 64% of the respondents were willing to give away their passwords. It seems that users have never paid attention to their mother's advice about strangers and candy.
A curious aspect of the results was that, of those willing to trade away their passwords, women were 4.5 times more likely to spill the beans then men. Even more astounding was that 61% of all people surveyed happily revealed their date of birth!
This stuff drives me crazy. I see people handing over personal data all the time in stores in exchange for a free t-shirt or even a free sample of something. I always chalked this up to naiveté, but I can point to my own derivative experiment based on the Infosecurity one. When the results are announced each year, I bring this up at work with my IT peers. Usually 80% of my co-workers are willing to tell me enough about their passwords for me to guess or find out what it is ("My password is always my girlfriend's birthday, so I never forget it" or "I always use Star Wars, but spelled with a Z instead of an S.") without my even asking. I'd also say 9 times out of 10, talk turns to passwords for the non-user accounts, say the SA password for a production SQL Server. For some reason, all sense of security of this information goes out the door as the password is almost always mentioned. I've always wondered if this is because workers don't value these non-personal resources as much as they do their own browser history, e-mail, and YouTube ratings.
I remember meeting with a potential financial advisor for a very large financial institution. Our talk turned to passwords and I told him about the study where people would hand over their passwords for the most trivial of treats. He rolled his eyes and then said how stupid IT professionals are to require these. I mentioned that I was an IT professional and that strong passwords were the best defense against data theft and fraud. He then proceeded to talk about all the new online systems that his company was foisting upon him and his clients. And, of course, then he proceeded to tell us what his login and passwords were and why they were so easy to remember. I sat their in stunned silence. His giving out this information was not a great selling point for me for his services. After having bragged about managing millions and millions of dollars of portfolios for some very famous people, then telling me his login credentials, he had basically showed me he could not be trusted with my data or my finances. Needless to say, he did not get my business.
And what is this "women were 4.5 times more likely" to fall for this scheme? Are we females really that clueless? Is it that we avoid confrontation or have been raised to never say "no" when asked for a favor? That number bothers me. The Register believes it is because women love chocolate more than security.
I remember another conversation with a budding IT professional. Actually, he was a non-IT professional training to become a professional engineer so that he could then become an IT worker. (Don't ask; I never understood his career plan, either.) Anyway, he had been talking to our intern about how secure the newest encryption technology was and how absolutely unbreakable it was. As a sage (old) IT pro, I had to break the news to both the intern and the IT-wannabe that the encryption technology was useless in an age of social engineering and corporate cluelessness. Both were flabbergasted that I could possibly question the value of what was probably 32-bit encryption at the time. They both spouted off mathematical certainties of how many billions of years it would take to crack the code of highly secure encryption. I tried to explain to them that technology was not the issue most of the time. The both rolled their eyes and said that I just couldn't understand how big the numbers were.
So I dragged our IT-wannabe over to the assistant to the CIO's desk and lifted up her keyboard to show him the Post-It note with all the CIOs logins and passwords. He objected that the list of what were obviously user names and passwords could be anything. Then I took him over to the DBA set of cubicles and showed him how the whiteboard outside their cubes contained mysterious pairs of what were obvious user names and passwords. He still didn't believe me. So he asked the admin assistant the next day how she kept track of all the logins and she showed him that she wrote them down on a Post-It and stuck it under her keyboard. Then he asked the DBAs if those were credentials on the whiteboard, and they first denied it, then admitted it. He chalked this up to clueless IT people. So I walked with him back to his cube, and pointed out that he kept his own log in information on a Post-It note stuck on the side of his monitor. Cluelessness, indeed.
Some days I feel as if all the work we put into data governance, information quality, and information security is for naught. Why bother if no one values the data in the first place?
I believe that we data management professionals must hold ourselves to a higher standard that what we see in the rest of the world. We can go on and on about data quality, information integrity, and information protection. But if we are giving out passwords right and left, writing passwords on whiteboards, and generally following terrible security practices, how are we ever going to convince the business that they need to treat the data better than we do?
Your thoughts? Your observations?