A recent YouGov sruvey is being spun – or at least that’s how the press release reads – to show that British workers still aren’t implementing secure data protection practices. I don’t see this as all bad news, however – in fact, quite the opposite.
The headline statistics from the survey, commissioned by technical training company QA, show that 18% of the 1,197 workers questioned didn’t have passwords or PINs set for all their work devices (including laptops, tablets and smartphones), and 23% of those who did had shared them with someone else, while 21% had written them down.
The accompanying press release insists this highlights “major cybersecurity flaws”, which are “contributing to corporate cybersecurity risks”.
While I can’t argue against the contribution made by such password folly to data insecurity, I’m not entirely convinced the research is a doom-and-gloom revelation.
Simply turning those numbers around suggests that almost three-quarters (allowing for “don’t knows”) of those asked do protect all their devices and don’t share the passwords.
The main problem with research such as this is that it’s never really so black and white: if I were asked, for example, whether I write down my passwords, my answer would be a resounding “yes, I do”.
Of course, I don’t write them down on a Post-it note stuck to my monitor but rather within a well-encrypted, locally stored database. Similarly, I’d be inclined to say I also share my passwords, as a copy of that encrypted database has been deposited with a third-party cloud provider to enable me to access it from any device, at any time.
I accept that doing both things slightly increases the risk of password disclosure above what it would be if I kept them in my head, but not by very much, since the data itself is well encrypted.
The software I use ensures that my complex, long and very strong master password that unlocks the password database is never transmitted from whatever device I’m using at the time, with all the decryption and encryption being performed locally. The Agile Keychain data format used is capable of withstanding sophisticated attack methodologies, and the supposed weakest link in the chain – the third-party cloud service – adds yet another layer of encryption itself, so my encrypted data file is encrypted again.
I’m not suggesting YouGov’s survey is pointless, because anything that helps hammer home the security-in-the-workplace message is worthy. I just think we need to be a little more cautious when it comes to interpreting such numbers as negative.
We should rejoice in the fact that so many have received and understood the security message, then look at how we can help the small minority who haven’t. That includes their bosses, the people charged with both determining security policy and applying it.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
