No matter which sector an organisation operates in, the only certainty in the current business world is that survival – and ultimately success – is determined by immediacy. This is especially true when it comes to cybersecurity.
The humble password has long been the first line of defence against hackers in modern computing, but the increased use of digital technologies – such as the cloud, big data, mobile, Internet of Things and AI – has posed fresh challenges to companies when it comes to security, compliance and data protection.
Despite this progression, the password still has a vital role to play alongside other layers of technology; companies should not underestimate the value of good password hygiene.
With that in mind, here are five preventative steps IT managers can take to improve their company’s password protection hygiene and help protect their industries against those with malicious intent:
Change passwords regularly
Although many businesses require passwords to be a minimum length, mix letter case and use numbers, the majority are failing to enforce any further password complexity requirements on employees.
Our recent research revealed only 37 percent of the 600 UK-based businesses surveyed asked employees to check their passwords against common password lists (an obvious criminal-proofing tactic) and 39 percent didn’t even require employees to use special characters.
The reality is the ‘traditional’ password is dead; it can be compromised far too easily. Many people tend to choose passwords based on how memorable they are, rather than as a measure to deter online intruders, and these same passwords are often shared across numerous accounts.
So, John Doe’s email password may well be the same as his password for, say, his bank account. Even worse, many people follow the same predictable patterns when choosing passwords, with “1234567”, “qwerty” and even “password” reported as being some of the most popular choices.
To avoid playing into the hands of hackers and to tackle poor password hygiene habits, employees should be encouraged to use passphrases, not passwords
Hackers know this and run scripts that use these lists – both common password lists and stolen password lists – to automatically try many different username-password combinations on multiple websites. Try enough doors and, eventually, you’ll find one that can be unlocked.
The way to stay ahead of the hackers is to change passwords regularly, so that even if your password has been previously leaked, you’re already using a new one.
Use passphrases over passwords
To avoid playing into the hands of hackers, and to tackle poor password hygiene habits, employees should be encouraged to use passphrases, not passwords.
A phrase such as “will Manchester United win the Champions League in 2018?”, besides being a question on the lips of football fans, is easy to remember, meets character criteria (numbers, letter case and special characters) and is hard for a computer to guess in a brute force attack.
Deploy multiple factors of authentication
The use of multi-factor authentication (MFA) – including MFA apps – must also be encouraged. An MFA app generates a one-time password (OTP), also known as a token, that is valid for only 30 seconds. Even if hackers guess a user’s password, they won’t be able to guess a randomly generated OTP before it expires.
MFA apps also have end-to-end, military-grade encryption that remains secure even over untrusted networks – unlike OTPs, which are sent via SMS.
However, MFA apps should only be used on phones that haven’t been jailbroken, since they can contain malware that can intercept OTPs and send them to hackers to login to apps.
Conduct regular security training
Whether it’s a loss prevention associate or a manager, every employee requires some level of cybersecurity training. These training sessions should be focused on providing workers with information on the risks associated with accessing schedules, training materials and other data on personal and company devices, so they can be aware of current threats. It is critical for this training to provide clear links between how these issues impact their work day and personal lives.
Despite the dangers posed by a lack of security training, our recent study revealed almost a third of UK businesses do not invest in security education for their employees. Given the gravity of training employees on the risks of cybersecurity, it is clear IT managers are struggling to protect their organisations from the threat of intruders.
Implement single sign-on
Implementing operating systems that offer single sign-on (SSO) functions is another sure-fire way of cleansing a company’s password hygiene. SSO is an authentication process that enables employees to access their applications using just one set of login credentials.
While this service provides convenience for its users, it can also help ensure the right employees are accessing the appropriate documents. This is possible as IT managers have control over application provision and can authorise access for the appropriate individual on the appropriate applications depending on the needs of their job role – protecting sensitive data from getting into the wrong hands.