A number of MPs have joined ranks to defend their cyber behaviour after systems belonging to such MPs were found containing pornographic material by investigating agencies.
The MPs claimed that they regularly share their login IDs and passwords with their staff and interns and that it is a common practice in Westminster.
Nadine Dorries, a Conservative Party MP for Mid-Bedfordshire, recently garnered much flak for defending poor cyber security practices at her workplace and for justifying password-sharing as a common practice in the House of Commons.
‘My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous!!’ she tweeted.
‘All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?’ she added.
Dorries’ outburst came in response to a Freedom of Information request by the BBC which revealed that eleven council workers across the country were suspended last year for accessing pornographic content on their work computers. Forty other council workers were also suspended for breaking social media rules.
Dorries’ statement is also in defence of Damian Green, another Conservative MP who is accused of storing pornographic material in his work computer. The findings of a Cabinet Office investigation into Mr Green will be released in the next few days.
Mr Green has stated that his login ID and password were known to his entire staff and therefore, he could not be accused if any suspicious material was found on his work computer.
Convenience continues to trump cyber security
We have reported how IT staff at many medium and large corporations have been forced to remove filters and weaken security protocols to make it more convenient for employees to get their work done.
A survey of 474 IT staff by Beyond Trust also revealed that even though 71% of IT professionals consider the rampant usage of admin rights a high risk factor, and a further 21% admitting that such usage caused frequent security problems, 38% of them said that their organisations are allowing too many employees to enjoy admin rights for the sake of convenience and efficiency.
However, as we are finding out now, this practice isn’t restricted to corporations alone but is also deeply ingrained in Westminster as well. Are we surprised? No.
Earlier this year, as many as 90 email addresses belonging to MPs including Prime Minister Theresa May as well as several of her cabinet colleagues were breached by hackers as part of a coordinated cyber-attack on the Parliament’s digital infrastructure. A Parliament spokesman later confirmed that all these e-mails were protected by weak passwords.
‘The news that MP’s are sharing passwords with others in their departments is shockingly bad and very disappointing. Sharing passwords should NEVER happen, with the possible (but very rare) exception being sharing with the IT Department at work, and then the password should be changed when IT no longer need it.
‘Compromised credentials are the leading attack vector for data breaches – the 2017 Verizon Data Breach Investigations Report states that 81% of breaches involve weak, default or stolen passwords,’ says Barry Scott, CTO, Centrify EMEA.
‘Being senior in an organisation doesn’t provide immunity from having to follow cyber security best practices – in fact precisely the opposite as senior people have access to the most important information!’ he adds.
Steve Schult, Senior Director for Product Management at LastPass, told TEISS that Nadine Dorries’ statement confirmed that whenever security ends up hindering how an employee carries out day-to-day tasks, people will be less inclined to follow best security practices.
‘Keeping passwords safely stored should be a concern for everyone, MPs included, which is why using an encrypted vault is the most convenient and secure way to keep track of each unique password across accounts,’ he added.
Recently, Home Secretary Amber Rudd batted for backdoors to be created to enterprise software, stating that firms didn’t inherently understand the need and importance of being safe online.
Considering her stance on the government being the sole guardian of online safety, it is with sheer disbelief that we see other MPs condone the lax cyber secure behaviour of their peer group.
The fact that MPs get to protect their systems with login IDs and passwords is to ensure that the data stored in their systems are protected at all times. However, by sharing their passwords, they are defeating the very concept of data security and opening their systems to unauthorised access. It is thus quite interesting that the same MPs are so upbeat about GDPR and are strongly supporting heavier fines to be imposed on enterprises that fail to secure their data.
The same MPs are now trashing the BBC and are stating that much is being made of what is a common practice. Just to protect a colleague from facing prosecution, such MPs are willing to trample upon cyber security and dismissing the risk that they face from malicious actors because of their own poor cyber hygiene practices.
As such, we believe the National Cyber Security Centre and its allied organisations should run cyber security courses for MPs and councillors with as much zeal as they offer basic and free cyber security courses for small and medium businesses across the country.