Efficient password management is a critical component of any cybersecurity program. While companies across the U.S. usually spend thousands of dollars on network protections and security software, they often overlook just how important it is to have a consistent policy on how users create and manage passwords on the corporate network.

This creates an unfortunate security blind spot that can cause businesses serious harm. More than 80% of security breaches in organizations are related to stolen or weak passwords, with the problem of password management worsening as the size of a company increases.

Weak Password Management Exposes Businesses to Ransomware and Data Loss

Setting up efficient IT internal security measures in your company is critical to preventing the exfiltration of important information. But all too often, the simple passwords can undermine those efforts and become the weakness in the armor.

Employee may use the same password across multiple systems, making it easy for one breached system to become a cascading situation. In other situations, an employee uses a weak password that is easily compromised by hacking software, exposing valuable internal information to hackers.

The most common method to compromise your company’s passwords is with what’s known as phishing. In case you slept through your most recent cybersecurity training program, phishing refers to a type of social engineering attack that attempts to gather and steal personal, sensitive information such as credit card numbers, bank account numbers, and other financial data.

The best way to combat a phishing attack (and other forms of compromise) is to have a consistent password policy that you enforce across your systems.

How to Create a Consistent and Effective Password Policy

Adapting a documented password policy in your organization is crucial to maintaining a secure environment. Unfortunately, common employee password practices represent a security threat for organizations.

Here are some key features of a resilient password policy:

Create Stronger Passwords
The first step is to complete strengthen your password policy is to make sure that you’ve eliminated weak passwords from across your network.

Weak passwords are often based on predictable data such as birthdays, surnames, and sequential numbers. Other times, they use the names of popular characters or places that you’ve been to or involve the names of family members or pets. These options can be cracked easily by hacking software.

Strong passwords, on the other hand, contain at a minimum a mix of lower and uppercase characters, numbers, and special characters such as (@, !, $, ?, etc.); they’re also at least 8 characters long.

If you want to build an even stronger password, then there are more advanced techniques that you can try.

For example, taking three or four unrelated words and combining them into an easily remembered phrase is an approach that many cybersecurity professionals have started to recommend in recent years. Another approach to take the first lest of a favorite passage and develop a pneumonic from it, by using the first letter of each word in the phase. Strategically adding special characters and uppercases characters to such a password can make passwords uncrackable.

Want to test your password idea? Try playing with a password strength tester until you find a password that really works.

 

Eliminate Duplicate Passwords
Your password policy must focus on prevent users from using duplicate passcodes on different systems in your environment. Duplicate passwords are a security nightmare because they open the door to several accounts once when a single account has been breached. That security failure can quickly cause devastating damage to an organization, which makes this is key component.

Establish Documented Processes for Lost or Forgotten Passwords
Creating a policy would be to establish a standard for the creation of passwords of increased complexity, and the recovery steps when such passwords are lost or forgotten. Your documented password policy should include the personnel that are responsible for managing the accounts in the company and clear lines of communication for resetting passwords on each system.

Implement Password Managers
Installing a good password manager will allow users to save, generate, and manage their passwords in varied applications and online services. Password managers provide strong data encryption, which works as a strong shield against cybercriminals.

Two-factor Authentication is Central to Effective Password Policy

All organizations should also consider adding multi-factor authentication for their employee sign-ins.

Multi-factor authentication requires users to verify their identity with both a password and a second method  to gain access to a system. Multi-factor authentication can be incredibly effective—as high as 91%—at stopping cybersecurity breaches.

There are a few options when choosing multi-factor or two-factor authentication methods that the IT team can adapt to your organization’s system or network.

Hardware Tokens
Some companies provide their employees with hardware tokens in the form of a physical key fob, which is a small device capable of producing unique codes every few seconds to a minute; they work with batteries and usually, once their internal battery dies, the key fob does as well and will need to be replaced. This is one of the oldest forms of two-factor authentication, as it preferred by financial institutions who need to secure sensitive physical infrastructure.

Push Notifications
Push notifications have become increasingly common in social media platforms, SaaS applications, and mobile apps. These notifications require no second . This type of two-factor authentication sends a signal to a mobile phone to either approve/deny or to accept/decline access to a website or app to verify the user’s identity.

SMS Verification
The most common two-step verification has to be text messaging via SMS, as when a message is sent to a trusted phone number, it can be used as an alternative form of two-factor authentication. The employee is required to either interact with the SMS or to use a one-time code to verify their identity.

Regardless of which method you use, you need to make sure that educate your employees on how to use the 2FA system properly, as a recent hack at Cisco shows that a lack of vigilance from your staff can undermine even the strongest security system.

The Right MSP Helps Solve Your Password Problems

Businesses should provide their team with the tools they need to protect internal data and productivity. Strong passwords and 2FA systems should work along antivirus and anti-malware systems, file backups, and regular cybersecurity awareness training to provide holistic security.

Does that sound difficult to achieve? Businesses in both Columbus, Cincinnati, and Cleveland have relied on the Astute Technology Management team to help them overcome their cybersecurity uncertainty and deploy the protections they need. Reach out to our friendly, responsive team at 614 389 4102 or [email protected]