It’s a never-ending battle: Hackers relentlessly look for a way into your digital house, you work overtime, boarding up the windows. Meanwhile, your employees stand in the threshold graciously offering their up their keys.
We know employees are the primary cause of data breaches—and that login credentials are almost always employed at some phase of a malicious campaign.
Where are we going wrong?
Certainly, passwords like 123456, qwerty, password, and mynoob aren’t helping matters. What’s more, many organizations are blowing it when it comes to basic password security practices.
Yes, we’re seeing a shift toward biometrics, facial recognition, and hardware authentication—but it will be a few years before passwords are a thing of the past.
Until then, we need to do a better job of locking up the front door with the tools and best practices currently at our disposal.
Update your password policy
The days of complex password composition and regular, mandatory password updates is over. Research has shown these requirements result in passwords that are easier to remember—and less secure.
Instead, encourage your end users to employ long, easy to remember passwords—at least eight characters long—though 12 or more is optimal. (You might even have them self-evaluate the strength of their passwords with a tool like Gibson Research Corporation’s Interactive Brute Force Password “Search Space” Calculator.)
Then, scan those passwords to ensure they’re not leveraging those that are blacklisted because they’re either too common, too easily guessed, or have already been compromised.
We also recommend you:
- Prohibit password and account sharing
- Allow end users to securely record and store their passwords
- Prohibit the use of a single password across multiple websites or applications
- Don’t allow employees to use personal passwords for work accounts
Furthermore, when it comes to system administrators, we suggest you adopt the following best practices, as well:
- Require multifactor authentication when accessing networks remotely
- Require system admins to use different passwords for administrative accounts and non-administrative accounts
- Never allow the use of default admin passwords
- Encourage the use of password managers
You, no doubt, have been using a password manager for sometime. Still, we’re constantly dumbfounded by how many end users have not only not tried them—but have flat-out never heard of them.
Guide them down that path—and be sure to drive home the user benefits that might encourage your less tech-savvy employees to embrace what might otherwise be a scary idea.
For starters, let them know that a password manager can help them prevent unauthorized access to not only their work accounts, but to their banking, personal email, and online shopping accounts, too.
Let them know they can:
- Store all of their passwords in a single place – personal and business – and only ever have to remember a single master password
- Ensure all of their passwords are protected by encryption
- Eliminate any password security guesswork with auto-generated, highly-secure passwords
- Autofill login credentials and web forms with stored and encrypted personal and financial data
Want to vet your current options? CSO offers insight into the top password managers currently on the market.
Require multifactor authentication
Two-factor authentication isn’t a magic bullet, as some seem to believe. Sophisticated attackers can intercept tokens shared via insecure methods, for example. That said, whether you require tokens and codes, employ more advanced biometrics and behavior-based authentication methods, or leverage contextual authentication factors, like GPS location, IP address, and device—every added authentication factor helps make it more difficult for a hacker to crack your code.
As you evaluate your options, we encourage you to dig into the NIST Digital Identity Guidelines so that you can make the informed security decisions that are best for your organization.
Make phishing training regular and mandatory
While creating more secure passwords is an important step, ensuring your end users don’t get suckered into giving them away is critical.
And, as phishing campaigns grow more sophisticated, identifying real login screens and customer service emails from fake can be tricky. Just take this recent Netflix phishing email and Apple login vulnerability, for example.
Deny cybercriminals their payday
No matter who you are, you’re under fire. Hackers simply don’t know an organization too big to crack or too small to warrant their time.
So, employ these password security tips. When you do, you’ll lock up your data house tight.
Your business critical systems, applications, and data are under a constant state of threat. In fact, a recent Cybersecurity Ventures report finds that a ransomware attack occurs every 40 seconds—and by the end of 2019 an attack is projected to occur every 14 seconds. It’s clear that you need a vigilant army of end users…
There it is—the ransomware lockscreen staring you down with its arrogant gaze, just begging you to cry, “Uncle!” So much for your pleasant morning cup of coffee. So, now what? What steps should you and your IT department take to mitigate the damage and restore your data? The answer is: It depends. Here are some…
This month, a Grand Canyon-sized hole in WPA2 WiFi security protocol was discovered—and, it’s a vulnerability that has the potential to spell catastrophic consequences for organizations and their mobile workforces. So, what does the threat mean to you? And, more importantly, how can you use WiFi safely? Let’s dig in. KRACKS is a threat to…
“We’ve been compromised.” Those three little words are sure to keep you tossing and turning at night. Maybe an unauthorized user has accessed your data. Perhaps you’ve discovered an end user’s screen being recorded. Maybe your critical business applications have been encrypted by ransomware. It’s the stuff of nightmares. So, how do you return to…