Roughly 70% of the Earth’s surface is water.
And about 70% of the adult human brain consists of water.
Coincidence? Well, yeah. But I’m going somewhere with this so hang on. Our planet’s surface water and our brains also have another thing in common: a constant gravitation toward the paths of least resistance with little or no regard for the potentially disastrous outcomes that these paths may lead.
Like a swollen river that breaches its banks and washes out every road, bridge, and home it its path, our brains (again, 70% water) have this innate tendency to take the quickest ways of getting things done, or getting from point A to point B; even when these shortcuts present significant and dire consequences. In short, when given a choice, we will do some pretty mindless things to shave a few minutes or save a couple of bucks. It’s got to be the water, right?
Knowing what we know about us as a whole, we remain in constant pursuit of new ways to protect ourselves from ourselves, and one of the best ways to do that is to block those perilous shortcuts that we just can’t seem to resist. While our most brilliant minds still haven’t found a way to prevent us from driving tiny cars through flooded intersections, moving a ladder by hopping it sideways while standing at the top of it, or using a fork to dig oversized bread out of a plugged-in toaster, we’ve made some significant strides in other areas. For our intents and purposes, let’s talk about your company’s data security and what we did to block the all too common shortcut of employees not changing the factory-set default security passwords on secure storage devices.
In Apricorn’s early iterations of Aegis Padlock and Secure Key USB storage devices employed a universal default password (123456) with the intent of giving users easy access to the devices to begin the setup process. Additionally, every device we shipped had a bold-faced warning on the startup guide that this default password must immediately be replaced with a unique password before device deployment– not doing so would create a huge security risk. Being the path of least resistance and all, we knew it was still entirely possible to completely ignore our warnings, skip the unique PIN enrollment step, and deploy the device with the default password still in place.
In the years that followed, we learned that it wasn’t only possible to skip replacing the default PIN, it was fairly common. Here’s how we found out: of those products we shipped with default PINs, we’d get a small number of customer warranty returns each month. When performing diagnostics on those returned devices, our technicians were still able to unlock nearly half of them by punching in the default password! Granted, this was a fairly small sample size, but the percentage of them still having the default password in place was a real eye-opener for us. This is a lot like buying a maximum-security vault, filling it with your most valuable possessions, and displaying it in your front yard with the combination written on the door in fluorescent orange spray paint.
Our default password lesson was this: The path of least resistance is much too powerful of a thing. Beyond a strongly worded warning on the instructions, nothing more could be done to make every end-user replace their default password with a unique one. And considering that more than half of all corporate data breaches come from within by way of employee error, negligence, or laziness, we concluded that the only thing we could do to ensure that the user establishes a unique PIN was to eliminate factory default PINs altogether. And that’s exactly what we began in 2014 when we introduced a feature called Forced Enrollment. Today, ALL Apricorn secure drives have Forced Enrollment and consequently, NO default PINs. And on top of that, we also have added minimum complexity standards to those unique PINs. And four years after we created Forced Enrollment, the state of California just recently passed a law in September of 2018 that will (by 2020) ban all default passwords on connected electronic devices sold or offered for sale in the state.
While we think Forced Enrollment is a no-brainer and one of the most critically important features in our encrypted storage devices, it would appear that nearly every one of our competitors don’t see it that way and still produce encrypted drives with simple default passwords like 123456 or 11223344.
If you should happen to find one of our competitors’ encrypted USB thumbdrives lying around somewhere, like on the floor of a subway train, and you were to pick it up and try one of those codes followed by unlock, there’s a pretty good chance you could open it! I know of another “secure” encrypted drive manufacturer with an even easier default PIN: 0000000. If those first two PINs don’t work, chances are, this one will. But then again, who would be careless enough to load an encrypted storage device with sensitive data and leave the default PIN consisting of all zeroes? That’d be right up there with using the word “password” as their actual password, and we all know how rare that is.
Now before you accuse me of telling the bad guys out there how to potentially get sensitive data from these “secure” devices, I’m next to certain that I’m not telling them anything they don’t already know. These default PINs are all readily available on their manufacturer’s respective websites. Think about it. A lost device that is picked up by anyone on the street could potentially be opened by the finder looking up the manufacturer’s user manual online.
For those of you out there who are in charge of your corporate IT and data security, we created the Forced Enrollment feature with you in mind; we know that your biggest challenge isn’t writing security policies, it’s ensuring employee compliance with them. Encrypted USB storage devices with default PINs are a data breach waiting to happen. Think about it this way: if you’re dealing with a GDPR, HIPAA, or SOX violation and you say, “yeah, that missing hard drive had 500,000 personal records on it but it was encrypted.” What will you say when they ask, “was that device’s password sufficiently complex and can you provide evidence that it was?” With our Forced Enrollment PIN feature, you can say “yes” to both questions.
And most important, with Forced Enrollment, there is now one less way for your employees to behave like water.