Password security is a much more personal theme to discuss around cybersecurity. Your business can pay for firewalls, install top antivirus software and use the latest endpoint monitoring, but in truth it will all go to waste if one member of your team lacks “Secure Password Culture”. We have chosen SPC because if you can change the internal culture of our staff around password security, that first line of cyber defense will become ever safer.
There are thousands of articles around password security available online. We are pooling some of the more practical ideas and adding our experience in cybersecurity as a Managed Security Service Provider, and we hope to offer some key points that will help promote that Secure Password Culture throughout your business. Some shocking facts about passwords, some do’s and don’ts, and some practical password choice tips and suggestions, are all included in this week’s blog. One great article that I would like to reference is by Lily Teplow, Public Relations and Media Specialist at Continuum, where she says: “Passwords are the first line of defense against malicious activities in the digital space.” Lily Teplow – Continuum
The fact that the most simple of online accounts are now insisting that your password reaches their required security levels, indicates that password security is finally being recognised as the font line of cyber protection. The main problem that we hear from clients involves comments that describe terrible difficulties in password management, I use the term “terrible” in a slightly sarcastic way here. Some of these difficulties are described as follows: “I already have 4 other passwords to remember”, “Why can’t I use the same password for all of my accounts”, “how is that possible, only my staff know that password” and the classic “you are our IT provider, you should have a list of our passwords”. All of these demonstrate a need for certain adjustments in our way of thinking when it comes to passwords.
First of all, as a business owner you should compare the hundreds of hours that could be stolen from your company in the event of a data breach, with the couple of hours that it takes to create a safe password policy for your staff. In actual fact, there are very few elements involved in creating that password policy. It could easily be built around a set of simple questions:
Many of our suggestions will be easier to implement in small and medium sized businesses, but the same principles apply to team of 3 or 100 members. Much of your important company data will be stored in accounts that offer shared access, to multiple users, but over a period of time the password policy may have lost some coverage, and that now needs addressing. Individual accounts within a business are not the same as personal accounts that employees use for all of their personal data and cyber activity. We are not discussing the incorrect usage of personal accounts for company data today, but needless to say many GDPR breaches are related to this bad habit. Our focus is on that secure password culture for all business account passwords whether they are shared or individual. Your first real step in the right direction will annoy a number of people but it is necessary to progress with your password initiative. From your position of company admin, you must compile an exact list of who has access to passwords for all the different business accounts, why they have them and if they really need them. You will be surprised just how many extra people have the “keys to your business”. Once you have this knowledge up to date you can start to construct and implement your password improvement plan.
We cannot offer concrete rules about how to construct the perfect password, but we can consider some great tips on best practices for your business security. On the point of strength of password, obviously a combination of 20 digits that includes all possible permutations of capital and lowercase letters, numbers and symbols would be fantastic, but at the same time almost impossible for a user to remember, thus forcing them to write it down and the whole original purpose is then lost. You can ask a number of trustworthy websites online just how solid your password is, other sites can help you create a formula for safe passwords. It cannot be an exact science as cybercrime is also evolving but it is wise to check your passwords. Here are a couple of examples to help you think about your own Secure Password Culture (I put these in online to check): princess and football were in the to 20 of 2018’s most used “rubbish” passwords in the UK and both would take 0.4 seconds to crack , whereas qwerty and 123123 are slightly less rubbish at 1.1 seconds. At the other extreme when you start to combine elements your security vastly improves: 1966@Bobby@Moore is at 586 Trillion years to crack or even My#Toast#Marmalade55 is sitting at 1 Trillion years, both very solid and not too complicated for the end user. At the end of the day, the system and design of the password structure is your choice, let’s talk about how to achieve the required levels of security.
Again there are many practical suggestions available around choice of password structure and rather than suggest the “best” option it is good to consider the most practical for your team. The worst option is clear, everyone does their own thing, using single passwords across multiple accounts, mixing business and personal and never updating passwords over time. That is easy to achieve, and is the standard password model for millions of small businesses across the globe. Not for you and your business though.
There are systems that choose 2 or 3 completely random words, easy to remember but in no way related to you personally. Not your kids’, pets’ or towns’ names. No numbers related to your personal information; date of birth, wedding dates or special years. Those 2 or 3 random words are then connected by random symbols or numbers. Sounds complicated? Not really, for example: grave, pancake, indigo then becomes Indigo#Pancake#Grave7724 (don’t use any of these as this is public) you have taken 3 random words and created a 24 digit unbreakable password, which you could easily remember after 5 or 6 uses. Another popular method is the simple phrase password: Open Custard Creams (the action of splitting a biscuit that is very popular in the UK) if you add in numbers and capitals to the phrase you will also have a very safe, original password: 9opeNcustarDcreamS, again, a very safe password. You might choose to discuss you company password policy with your key team leaders, and then share the good news with the entire team. Many clients have chosen our centralised password management software, in our monthly support packages.
Most online application management systems, and in-house systems at admin level now offer and even suggest password policies. These include some points that we have just mentioned such as password length and configuration, password strength monitoring and even stolen password alert systems. They can also enforce device lock-down after 3, 4 or 5 wrong password attempts, securing the device or the account being logged into. One important feature that is now available involves two related aspects of password management.
Firstly you can avoid constant automatic logins, where day after day your users login to their desktop or laptop and are automatically logged in to everything via their web browser. Yes this is handy for the user, but it becomes a cyber security risk very quickly. Most admin panels will now allow you to set a time limit in which the user will be forced to login with their password. Again as an MSSP many clients call the helpdesk and say: ” I just don’t understand, I never have to login to Outlook, and today it is asking me for my password!” That is a fine example of security awareness and the benefits of Secure Password Culture, each team member will have to move with the company policy.
The other key question there is what about actually changing or updating passwords. Let’s be quite transparent about this point. If your password has been hacked, shared, lost, gifted, call it what you want. The new shared owner of your password now has the keys to your digital home! What would you do in real terms if your house keys were blatantly stolen: A. Do nothing and believe that you are safe. B. Wait and see if anything bad happens to your home or C. Change all your locks at home to protect your family, and maybe even increase your home security. If you answered A or B this link will take you back to the start of the article! Now, answer C is the only safe option. So if your are aware of a password breach, or even feel a doubt about the safety of a certain business password, the very first action is to change that password, immediately.
Other than serious password breach situations, companies are starting to request password changes every few months, for the simple reason that company passwords might well have been stolen without you knowing. If they are up for auction on the Dark Web they will not be used immediately. They may sit out there for weeks until the right cyber criminal wants data from your business. So if you have a quarterly password update policy your add an extra layer of security to your front line. There is an exception to that practice, because if “Brian in accounts” is going to change from Brian1 to Brian2 and then go all out to BRIANTHREE, then all that we have discussed previously has already been ignored and password updates will be a waste of time.
We have now discussed 4 sets of key questions around SPC, and that secure culture is something that needs the right processes to permeate every corner of your business. It is also good to understand just a little about how password hackers think or operate, and maybe understand why the measures that we have mentioned are so effective. Here are just 3 common methods to ponder over:
We have mentioned this before in previous Cybersecurity 101 Blogs, but is is so important that we have this in mind. Cybercriminals do not care who you are, what you do or what your business is. Their major business is getting hold of your personal and business data. Your business data also includes every digital detail that your company holds about all of your prospects, clients, suppliers and even employees. What would happen to your business if, through fault of one weak, old, shared and now breached password, all of that data became public?
Please do have a look at our website yourcloudworks.com drop us a phone call if you would like to discuss cybersecurity or Business IT Security and Support. I you have found this article beneficial, please feel free to share with a friend, or your team members. Don’t miss out on your FREE Dark Web Business Identity Scan here below.
Now you can request you FREE Dark Web Business Identity Scan. This scan will help you to answer some of the Cybersecurity questions raised in this article. Find out if your company has already suffered data breaches, and your credentials are available on the Dark Web.