The January 20, 2020, issue of the New Yorker magazine has a cartoon that hits the nail on the head:

“I think we’re named after computer passwords.”

Information security doesn’t have to be difficult or complicated.

In fact, if there’s too much difficulty and too much complexity, it actually increases the likelihood that your environment will end up being less secure. Why? Because too much difficulty and complexity become impediments to simply getting the doggoned work done.

Too much difficulty or complexity runs the risk that your employees will develop work-arounds that bypass those difficult complex security measures.

Deploy two-factor authentication, and opt for publicly-available authenticators such as Google or Microsoft that can be loaded for free on your employees’ personal smart phone. Voila! Your information security administrator can quickly and easily disable credentials if the employee quits or if you think their activities seem suspect.