Passwords are supposed to keep us safe. In fact, they’re a high-security risk.
You’d be forgiven for assuming that your junior staff would be the users with the least security awareness. But it’s simply not true. Stats show people who work at high levels use passwords that are too weak or follow poor guidelines. You don’t have to look far for examples...
Take Hillary Clinton’s campaign manager, John Podesta. Depending on who you believe, Podesta’s password for his personal email account was ‘Password’. Other sources cite that he forgot his Apple iCloud password and asked his aid to email it to him.
Once the hacker went in, his passwords were exposed to the world. A series of embarrassing issues ensued for the Clinton campaign. The hackers started telling voters to ‘vote Trump.’ The campaign fell apart, and serious ethical questions arose about Clinton and her campaign.
This shows how vulnerable and important it is to set good passwords. It isn’t simply about coming up with a tough one—it is about following the right protocols to retrieve a forgotten password.
You might not be in politics, but your business can’t afford reputational damage, data losses or data breaches that expose your customer data and leave you open to fines ...or worse.
According to the National Cyber Security Centre’s guidelines, the following should be considered into your policy:
On all your devices, ensure you switch on password protection. This includes implementing screen lock security, such as patterns, pins and biometric security measures, such as fingerprint and face recognition.
Your policy should ensure that associated passwords to devices follow best practice thinking. Passwords on devices are effectively a master password and as such should be tougher to guess.
Password generators are a piece of software and by their nature, not 100% impregnable. They’re an attractive target for hackers. On the other hand, user-generated passwords are often easy to guess if you pick your name, birth date or a family member’s name.
For more detailed guidance on which route to choose, review the National Crime Agency’s (NCA) guidance before making any major policy changes.
Static IT equipment, such as PCs and laptops, often has its own encryption. However, ensure you implement best practices to switch on and configure the encryption. Use a Trusted Platform (TPM) and products such as BitLocker for Windows with PIN security to add additional security to this type of equipment.
If you use macOS systems, use FileVault or similar apps.
Where possible implement Two Factor Authentication (also known as 2FA). This adds an extra security layer with minimal effort and cost. 2FA requires a code entered from an external device to gain access to the system.
Teams should be well-drilled on what makes a strong password.
This training should be periodically refreshed and supported by clear guidance. The training you provide should be interconnected with your wider security policy.
The access given must be the lowest level the system user requires (a principle of least privilege). Also, users should never need to share their passwords with other users to do their job.
Both the NCSC and the NCA recommend not enforcing regular password changes.
Research shows that passwords must only be changed for suspected or detected security breaches. The NCA believes that regular changes are detrimental to IT security overall.
Top tip:
On the balance of risk, the NCSC using a password manager tool, ensuring the master password is a strong one. Ideally a memorable phrase or three random words. Either of these is much easier to remember and far harder to hack than our usual formatting habits.
While you don’t want to force password updates too often, you should make it easy for your teams to reset their passwords if they forget them.
Ensure you replace all default device passwords before distributing them among your teams. This is a common error. To go the extra mile, ensure that you have a regular review programme to check for and eliminate default passwords from your organisation.
Regular Penetration Testing, sophisticated social engineering and in-depth user awareness training are crucial to improving your cyber security. Together, they’ll expose any weak links in your security defences, whether they be passwords, unpatched systems, misconfigured hardware or more.
Ensuring the implementation of a strong password policy is one of many stages in your cyber security improvements. You can create actionable steps to make a real difference to your cyber security defences.