Should a 15,000-employee organization adopt LastPass? On the one hand, LastPass seems to bring clear benefits, not just in improving overall security, but in reframing the importance of employees’ own security behaviors. On the other hand, mandating Lastpass means considering the tradeoffs of time, resources, and accessibility.
These tradeoffs require us to assess the company’s particular needs — goals, vulnerabilities, and approaches — in order to make the final decision.
Benefits
The benefits of employees using Lastpass are fairly clear. Lastpass use would reduce the chances that a threat can work its way from an individual account to threaten the entire network. The status quo of decentralizing security choices to each individual employee is dangerous because the system is only as strong as its weakest link. Mandating Lastpass use across the company would eliminate these weak links in password security.
Moreover, the process of instituting Lastpass may have positive reframing effects for individuals. While spending the time to change their passwords into Lastpass — and wondering why the company cares about their security in this way — employees would be encouraged to see their own security practices as part of the larger system of the company’s security. Helping employees see themselves within the system likely has positive network effects further down the line, when individual has to make security decisions and takes their role in the network into consideration.
Drawbacks & Tradeoffs
But it’s not all rainbows and unicorns. One obvious tradeoff is staff time. We could estimate that it would take the average employee one hour to get signed up and transfer the accounts to the new system. Thinking on a system level, the Lastpass mandate then requires 15,000 hours of company time (375 work weeks of time), in addition to the administrative time to communicate and guide employees in changing to the new system. This is no small decision.
Thinking on the broader level of security, there’s likely some sort of finite amount of security resources the company can spend. The company’s IT & Security Teams have finite time and budget to implement projects; employees and managers have finite patience for instituting new security measures. Overall, choosing to implement Lastpass will likely mean not implementing another security improvement. This tradeoff makes it important to judge the Lastpass mandate in the context of other possible security upgrades. Is password security the best place to invest these resources?
Another tradeoff to consider is usability or accessibility versus security. While Lastpass is not too overwhelming of a system, it will change how employees interact with the network, how efficient they are, and how easy their work is. Does mandating Lastpass privilege the needs of the system over the needs of the employees?
Given that Lastpass is not completely intuitive, it’s also possible for employees to subscribe to the system without following certain best practices. For instance, it seems possible to use the same password for multiple sites, but to store that password in Lastpass. So in the messiness of practice, mandating Lastpass does not necessitate high password security. There’s also a slight risk that Lastpass will provide employees with the veneer of security while distracting them from larger security concerns — that people will feel safer without being safer.
Making the decision
What are we to do with these tradeoffs? A decision should be based on both an understanding of the system’s structure and a realistic threat model.
In this case, understanding the system’s structure would mean understanding more about how employees’ computers and accounts are connected to each other. What kind of network is at play in the services employees use? How interconnected are users and services? What data is stored where?
Building a realistic threat model would take some introspection. What are the goals of security at the company: simply to protect company security? Or is there other personal data the company collects? Does the company have a responsibility to the public — as a whole or as individuals — for any of the data in its hands?
What are the system’s vulnerabilities? How big of a problem is lax password security by individuals, compared to other vulnerabilities to the system? Are there malicious actors who might be able to break the system’s walls? Would Lastpass prevent or lessen the effect of those attacks?
Finally, are there countermeasures other than Lastpass that might be better suited to these goals and vulnerabilities? Does the company really need to collect the personal information it collects? Can it identify or measure threats using testing and agile development, rather than assuming we know their likelihood and consequences?
Absent context, mandating Lastpass approval seems like an objective improvement to company security. But the decision to do so requires understanding the tradeoffs between costs and benefits. Hopefully, the understanding necessary to make this decision will benefit the company more broadly, by helping it understand its security needs, threats, and options on a holistic level.
The Demo in Democracy 