Passwords are an unavoidable part of our daily lives. You need them to access your bank account, log into your email, and access company resources. But there’s a dark side to passwords that you might not be aware of: they are one of the most common security risks for businesses and individuals. I understand that for most of us (including myself) cyber security policies and procedures are not the most exciting part of our job, but without them, you’re note properly conveying your expectations on how employees should handle company resources. You can’t expect an employee to have proper password hygiene without proper training, and this is why your company MUST have a password policy.
Profound changes in the cybersecurity landscape require a password policy.
It’s easy for small businesses to think that they don’t need a password policy, but this is a dangerous assumption. The cybersecurity landscape has changed significantly in recent years and it affects companies of all sizes.
The fact is that hackers are getting smarter, faster and more sophisticated — so much so that cyberattacks are now considered “the norm.” As such, there are new methods for protecting your company against attacks that require you to rethink how you manage passwords and other sensitive information.
Some of these changes include:
- Use multifactor authentication (MFA) whenever possible instead of just a single factor such as a username/password pair or employee ID number/PIN code combination.
- Implement a strong password policy because weak or compromised credentials can open doors for hackers looking to access sensitive data.
- Use a password manager like Keeper or Dashlane. Password managers generate unique passwords every time you create an account for a site/app/etc. This relieves employees from having responsibility for ensuring their passwords remain secure all by themselves.
What your password policy should include
- Create long and complex passwords. A good password is long, at least 10 characters, with a mix of uppercase and lowercase letters, numbers, and symbols.
- Use unique passwords for each account. If you use the same password for multiple accounts you will dramatically increase the risk of getting hacked. Hackers with access to that account can easily get access to all your other accounts where you used that same password too!
- Change your passwords periodically. Make sure you set time restrictions on when passwords expire. This will reduce the amount of time an attacker can use a password that has been compromised without one’s knowledge.
- Don’t write passwords down anywhere; not in a password notebook, not on sticky notes, and especially not on a label stuck to your laptop computer (yes, I’ve actually seen that… recently in fact).
- Passwords should not include your first name, last name, username, or company name. Don’t include things that someone who knows your or your business well can guess. Examples of this are your birthday, name of your pet or kids, favorite band or car, etc. Consider what information is publicly available and on social media.
- Don’t share your passwords with anyone. When it comes to company resources, one of the ways IT departments determine who has done what with a specific file is by reviewing an audit log. You will likely be held responsible if a coworker has deleted or modified an important file with your username.
- Don’t store passwords in browsers such as Chrome, Firefox, or Microsoft Edge.
- Don’t store passwords in a text file or spreadsheet (even a password protected spreadsheet).
It is important for every business to have a password policy. It is a cyber security best practice, and very effective way of protecting your data from hackers. Additionally, most cyber liability insurance carriers are requiring these cyber security policies to be in place. A password policy is just one of several cyber security policies that your organization should have implemented. If you would like some help putting together your company’s cyber security policies, we’re here to help.