Even though this is not a new topic by any stretch of the imagination, 63% of data breaches result from weak or stolen passwords.2 We all know what to do, but employees will often choose convenience over security when it comes to password accessibility. We've seen things like employees will email passwords to themselves, write them down on a piece of paper and tape it to their desk, or make every single password identical. It is the responsibility of the executive team to ensure the security of client and employee data. So, here's what you can do:
Set up a great password policy
Set up rules, policies, and procedures that employees need to follow regarding their password. We've recently seen an increase in pass phrases as an alternative to passwords. Pass phrases are great because they are easier to remember and too complex for a typical hacker to decode. Employees should also have a different password for each platform, and they should not be emailed for any reason. Using Password Generator and Password Manager programs like KeePass can help you not only create random passwords and pass phrases, but safely store them as well. To learn more about password guidelines, read our blog post on Passwords.
Put it in the employee handbook
If it's not in the employee handbook, it doesn't exist. Employees need to have a tangeable reference for how to manage passwords within your organization. This can be inserted into the Client privilege and privacy section. This is also a great opportunity to explain why there needs to be a password policy in place and why carefully selected passwords are so important.
Use multi-factor authentication
What is multi-factor authentication? It is where your employees will have to claim their identity by utilizing a combination of two different components: something you know combined with something you have. This is one of the safest methods to access the organization's information. Programs like DUO utilize an OOB, out-of-band, form of authenication using a completely separate channel, such as a mobile device, to authenticate a transaction originated from a computer. This is a great security technique for employees who work remotely. Read more about safe ways to work from home here.
There are many ways to enforce a password policy. You can configure rules around character count, character type, expiration dates, etc. You can also request employee cybersecurity training from your IT service provider. This can include online tutorials, in-person lunch-and-learns, phishing email classes and quizes, etc.
Request a Security Assessment
We wouldn't be doing our due diligence if we didn't point out that to be truly secure, you have to have a multi-layered, cross-organizational comprehensive security plan in place to accompany the password policy. A solid password policy can save your organization time and energy, but to cover your bases, you need to cater your security plan to meet the security, deployment, and management requirements of your unique organization. In order to identify these requirements, along with all of your network vulnerablilities, it is best to start with a security assessment.
To request a free consultation with a blackpoint security consultant, you can schedule an appointment or call (866) 575-9512.
1. Tech Republic article, "Negligent Employees are No. 1 Cause of Cybersecurity Breaches at SMBs" http://www.techrepublic.com/article/report-negligent-employees-are-no-1-cause-of-cybersecurity-breaches-at-smbs/ 2. ID Agents article, "63% of Data Breaches Result from Weak or Stolen Passwords" http://info.idagent.com/blog/63-of-data-breaches-result-from-weak-or-stolen-passwords