The days when shared computers sat in the open office with the username and password written on a notepad attached to the top of the screen are, or at least should be, gone. Insisting on individual and unique passwords in order to use any device capable of accessing your company network is a necessity, but password policies can be overdone, and don’t always take human nature into account.
Regardless of how much innovative technology you have in place to protect your IT infrastructure and network from intrusion, it will, after all, be humans who use the devices needed for daily operations, and it can be maddening for them to face constant and complicated security measures just to log in and do their job. Here, we outline the best practices for a happy medium in password management, to ensure your business stays secure, and your staff stay sane.
The National Cyber Security Centre gives a good outline of the measures you should put in place to encourage password protection and avoid guessed access, and goes into more detail here, but the golden rule really should be to implement access procedures that are complex enough to avoid simple guesswork, and straightforward enough to enable authorised users to log in and get to work with the minimum of fuss. If it all gets too complicated, staff will revert to human nature and find the easiest, and thus least secure, way of getting around gaining access.
Take Responsibility
Even if a soft password does enable unauthorised access to your network based on guesswork, your business shouldn’t point the finger at the staff member responsible. Every business should have a robust cyber security protocol in place to detect and handle any such infiltration, and should provide comprehensive education on the warning signs and dangers of malware or ransomware attacks. It’s the responsibility of the company, and specifically the IT team, to make sure all team members know why password security is important, and what they should do if they think the network has been compromised.
Provide tips on the best way to come up with passwords, and what to avoid – surnames, a number series, the name of the pet they are always talking about, etc. Also request that passwords for personal use are never used for professional purposes, and vice versa, and advise on the best ways staff can secure their own personal or social media accounts.
Change Defaults
If you have recently undertaken an IT infrastructure overhaul that involved upgrading your IT assets, it is important to change all default passwords before staff members use them. If you hire an outsourced IT consulting service to avail of their volume leasing and licensing, they can run device and software checks to discover all default passwords, and advise staff on how to change them easily and with a minimum of fuss.
Reset Passwords When Needed
If your network is compromised, password changes should be an immediate action, and resets should be scheduled in at intervals throughout the year, but if everything is going smoothly, constant resets can actually become counterproductive.
Staff are expected to remember their own passwords, and are often told never to write them down, and never to use the same or a similar one twice, or across more than one device or system. The problem is that this can lead to password overload. In their personal lives, people already have to remember any number of passwords – for personal devices, personal email, banking, social media, etc – and don’t want to have to come up with and remember a number of passwords when they get to the office. They particularly don’t want to have to do this on a monthly, or even weekly, basis, especially if it is not really necessary.
Demanding constant password changes mean staff will more than likely make the simplest and most obvious of changes to their password – a 1 replacing an ‘l’ for example – and this leaves them vulnerable to hacking.
Your IT team can help in this endeavour by providing the means to easily come up with secure passwords, and store them with adequate protection. Password management software enables users to generate, store and even input passwords when required, but this needs to have a very robust cyber security system in place.
Don’t Make Passwords Too Difficult
As well as using password management systems, you should make things easier for staff by allowing them to write down (but disguise) their passwords and keep them in a very secure place. Contrary to popular belief, this is usually effective, and cuts down on the amount of time needed to locate and enter a password to gain access.
Forcing staff to generate complex passwords with rules on length, use of number/letter/symbol combinations, etc, also means they are likely to use guessable variations on previous passwords to save time, leading to vulnerabilities. You can avoid this by focusing on implementing technical controls such as:
- Protective monitoring - to detect and alert the business to malicious or abnormal behaviour, such as automated attempts to guess or brute-force account passwords
- Account lockouts - password systems can be configured so that a user only has a limited number of attempts to enter their password before their account is locked out (but give them more than three attempts), or can ‘throttle’ log-ins by adding a time delay between attempts
- Blacklisting common password choices – making it impossible to use those very first password combinations a hacker might guess at
- Password strength meters - to show how secure a new password is likely to be, but with this you will also need to educate users on what to do to make them stronger.
Too many rules will also make users more likely to use the easiest option available, so don’t place limits on password length if they fit the criteria, and don’t make a vast range of different characters a requirement unless you want your staff spending unnecessary time each day typing each character in turn before they can get to work.
Required passwords is the first line of defence against unauthorised access to the network of your business, but it is not the only one, and your staff will appreciate not having to jump through virtual hoops to gain access to the IT assets they need to do their job. Take a secure, but sensible approach to your password management, and focus on being able to monitor, detect and act upon any out of the ordinary behaviour.
As an IT consulting service in London with expertise in cyber security and GDPR, the team at Optimity can advise you on the best ways to implement a secure but efficient password policy, and can create the cyber security protocols you need to keep your business safe.
Find out what we can do to help by getting in touch, or by booking a security audit, and download your Cyber Security Checklist.
