The Ministry of Development and Social Inclusion (MIDIS) is the newest Ministry in Peru, that has taken over almost all social programs since 2012. It is also in charge of the algorithm that decides who is eligible for social programs.
After my experience of downloading LastPass there are a few considerations that I would like MIDIS for take into account before mandating all of their employees to use it.
First, it is important to consider the positive externalities that it would generate to both the users and the Ministry itself. For the users/employees, it allows them to have their passwords stored in a "secure" way. There are countless times in which you just can't remember that one password you created with a certain pattern so its easy to remember but with a little twist so that it's different from the others. We all do it. (Did I just give up my password?). Anyway, it is nice to know that you have a safe place where all of that is stored and relieves the mind from that stressful moment and you are in a hurry. Second, I would say that then you can change your passwords and make them more intricate and complex therefore making them harder to guess/hack and by default more secure. Especially since you use a pattern, cracking one password will make it easier to hack the other ones. Third and last, you can use the google chrome plug and even the cellphone app in order to make it easier to access your accounts. The plug in even detects when you are accessing a site with credentials and asks if you would like to save it automatically, which makes the process much easier for the user.
For the Ministry, I think the main benefit is protecting their server from a possible hack. Imagine one of the employees had weak passwords or was very careless about how they manage it. It would expose the entire Ministry servers to stealing information. And take into account the fact that this Ministry is in charge of assessing who is eligible for the biggest social programs in the country. I think that alone is enough reason to encourage employees to add a layer of security to their access credentials.
On the other hand, let's consider the negative consequences that could happen from instating such policy. Both the users and the Ministry itself has to be aware of how LastPass actually works and what kind of security it has to protect the credentials of their users. If LastPass had a security breach it would mean exposing as much as information the employees has stored there, including banking access codes. Would that make the Ministry liable for a sue? Unclear at this point given that Peruvian Law is not as caught up with online services. However, it would generate social unrest and political liability to the incumbent party. The fact that LastPass is the platform that could unlock other platforms is extremely dangerous if it is hacked.
It is important to weigh in the trade offs between having your employees store their passwords in one place, especially if there is a security breach that could have big consequences . Even more so in Government. In conclusion, and just because I am risk averse, I would start by doubling down on securing the networks at the Ministry and engaging in better practices. Start small and then evaluate whether it is convenient to instate such a policy. It might not be the best option for all Ministries, or even for all employees in one Ministries. Try some adaptation if it is planned to roll-out and learn if it is really adding value and protecting the users and the Ministry from external threats.
First, it is important to consider the positive externalities that it would generate to both the users and the Ministry itself. For the users/employees, it allows them to have their passwords stored in a "secure" way. There are countless times in which you just can't remember that one password you created with a certain pattern so its easy to remember but with a little twist so that it's different from the others. We all do it. (Did I just give up my password?). Anyway, it is nice to know that you have a safe place where all of that is stored and relieves the mind from that stressful moment and you are in a hurry. Second, I would say that then you can change your passwords and make them more intricate and complex therefore making them harder to guess/hack and by default more secure. Especially since you use a pattern, cracking one password will make it easier to hack the other ones. Third and last, you can use the google chrome plug and even the cellphone app in order to make it easier to access your accounts. The plug in even detects when you are accessing a site with credentials and asks if you would like to save it automatically, which makes the process much easier for the user.
For the Ministry, I think the main benefit is protecting their server from a possible hack. Imagine one of the employees had weak passwords or was very careless about how they manage it. It would expose the entire Ministry servers to stealing information. And take into account the fact that this Ministry is in charge of assessing who is eligible for the biggest social programs in the country. I think that alone is enough reason to encourage employees to add a layer of security to their access credentials.
On the other hand, let's consider the negative consequences that could happen from instating such policy. Both the users and the Ministry itself has to be aware of how LastPass actually works and what kind of security it has to protect the credentials of their users. If LastPass had a security breach it would mean exposing as much as information the employees has stored there, including banking access codes. Would that make the Ministry liable for a sue? Unclear at this point given that Peruvian Law is not as caught up with online services. However, it would generate social unrest and political liability to the incumbent party. The fact that LastPass is the platform that could unlock other platforms is extremely dangerous if it is hacked.
It is important to weigh in the trade offs between having your employees store their passwords in one place, especially if there is a security breach that could have big consequences . Even more so in Government. In conclusion, and just because I am risk averse, I would start by doubling down on securing the networks at the Ministry and engaging in better practices. Start small and then evaluate whether it is convenient to instate such a policy. It might not be the best option for all Ministries, or even for all employees in one Ministries. Try some adaptation if it is planned to roll-out and learn if it is really adding value and protecting the users and the Ministry from external threats.
No hay comentarios:
Publicar un comentario