After using the same password for all my accounts for years, I can finally start setting complicated and unique passwords for each of my accounts. This is thanks to a password vault that I recently installed on my computer. What this means is that I can now stop worrying about forgetting complicated passwords and let this tool do the work for me.
This then begs the question — if it makes sense for me, as an individual, to have a password safe, does it also make sense for big organizations to make this mandatory for its employees?
I think that this question is very organization specific. While it’s good practice to have this tool for the safety of your personal information, whether the information an organization deals with would ultimately determine whether this is worth the cost or not. I’ll give you an example.
The very first job that I did was with the largest private sector bank in India. I was working with their Business Intelligence Unit as a data analyst. Now, my department was the only department with access to sensitive information like names and phone numbers of all the customers. All 15 million customers. I had access to their transaction history, their PAN Card details, their mobile phone numbers, and so on.
The way the IT department made sure that sensitive information was never compromised was by blocking access to the internet. This seems like a good idea if my job was just looking at data. But for the purpose of analysis, I had to use the internet to clear my doubts and keep abreast of all the new things that were happening in analytics all around the globe. My bosses recognized that and I was promptly granted access to the internet.
And it wasn’t just me. If you were above a particular level in the hierarchy, you had access to the internet. This made the bank vulnerable to cyber attacks, something I think the bank did not take very seriously.
Now that I’ve given you an actual situation to think about, we can start discussing whether it makes sense for an organization to invest in a password vault.
The simple answer is: yes. However, it’s much more nuanced than that.
First, the organization needs to know whether the information it is dealing with is sensitive or not (Do you identifiers in your data? Do you have important details like SSN in the data?).
Second, the organization would need to determine whether it make sense to give a bunch of humans access to the sensitive information (Can your employees make do without personal details of people?). In my case, since we were analyzing data to run campaigns, we needed the details of people who we were going to run the campaigns on.
Third, the organization needs to determine whether access to sensitive information be reserved for a team or a few individuals.
The organization can think through these questions and determine who it would need to invest in to protect so that the sensitive information cannot be compramized.
Going back to the example of my first job, I feel that the organization could have invested in a password vault for the employees in my department, since we were the only ones with access to this information.
In conclusion, I would say that the decision to make a password vault mandatory for employees would depend on the organization, and who within the organization has access to sensitive information.