Most companies have no real password requirement everyone has a password but the clarity on what needs to be done and what is appropriate what’s not appropriate is not distributed to the company.
You need to take this serious securing your information is important.
“But Marge does not have anything really sensitive on her computer so we just leave her alone.” – Anonymous Owner
There is often a feeling that certain people need less security, because their work does not deal with sensitive information. Please understand leaving one person’s password unsecured is like leaving a door unlocked to your palace. You cannot make this assumption without paying high penalties.
All passwords need to be secure and updated. Often breaches start by entering a smaller target to gain access to the real target. We see hacks that use smaller companies who service larger organizations targeted because they tend to be very lacking in basic security.
So what is secure or strong password?
It may sound cliché, but your password have to be strong or there is no point in it. There are plenty of articles and viewpoints out there about how complex passwords must be, but you should always have a minimum of at least eight characters. It should not be a dictionary word (in English or any other language). It should include both uppercase lowercase letters and a special character or two. A passphrase is a great approach as well as long as it is not common.
Passwords like 123123, letmein, birthdays, sports, names, even password1 are no good. It is like having a key with no ridges. Just get the blank and someone can get in.
NOTE: Stop writing your latest password on sticky notes and “hiding” them under your desk. That is a security 101 no-no. Store is somewhere safe, out of everyone’s hands.
Put your password and creativity to the test – The top passwords for this year:
Apparently lots of people enjoy playing baseball with a dragon and driving a superman mustang. Personally we prefer the bat mobile.
Take your password to the test at this “How Secure Is My Password” website.
Your password policy: Create – Implement – Enforce
Your WRITTEN policy needs to define secure and unsecured passwords, sharing rules, frequency of changing and reiterate the importance of them.
All those that complain may not be fully educated on the impact that a breach would have on everyone, not just the company. Please explain to your staff clearly why it is a requirement of being employed. Lastly, your employees need to acknowledge they understand it and are responsible to abide by it. They need to also be accountable.
The Skeleton of Your Policy Should Include:
- Minimum password length
- Password composition:
- Character requirements and allowances as well as capitals, lowercase, numbers, special characters or items such as your name and the company name are not allowed.
- Password age limitation:
- The frequency of change required.
- Password storage:
- Passwords are not to be written down, they must be memorized or kept in a password manager.
- Reuse of passwords:
- Do not use the same password at work that you use in any other account.
- Sharing and transferring:
- Passwords are not allowed to be shared without proper authorization.
- If it is shared, establish what criteria is needed to share.
- Electronic transmission:
- No transmission over insecure networks or communication.
- Requirements for System Administrators:
- Both their permission level and power to control others as well as a clear understanding of how are they held accountable
- Roles, responsibilities, consequences and sanctions
- Policy and forms for any exceptions
Now let’s be reasonable, you are not Fort Knox, but perspective still matters. If you have anything of value on those systems that you wouldn’t want distributed to everyone: your employees, competitors, vendors, partners, investors, ex-spouse, etc. then you need to protect it. Like your key to the lock on the front building that’s there for a reason.
But really, who is out to get me? I am just a small business owner.
Maybe you are the kindest person with no secrets willing to give away all your information. Even so, you may not realize largest offenders are most often internal or external IT people [who have the largest amount of access to your network]. They have access to your servers, workstations, applications and firewall. Make sure you have a process to verify their compliance as well.
Also, be certain that many times these mistakes are simply that, mistakes. If one person unknowingly provides their password to an outsider who has any malicious intent, your biggest asset, and your information could be swiped from you in minutes.
In this case you can be yourself, be trusting on other levels, but don’t be naive with your information.
AVOID REACTION – TAKE ACTION
- Create a written password policy. It should be part of your computer usage policy. Make sure all employees are familiar with it and agree to abide by it.
- Help them understand why it is important. Listen to the groans, appreciate their issues and then insist they do it.
- Help them understand what appropriate and inappropriate passwords are.
- While you are at it, help them understand that their families and personal information needs to be safeguarded as well. They need to keep their interested protected as well. Make it a service announcement for them. Identity theft is booming. Keeping yourself safe is very important)
- Make sure your IT support puts the policy in place that requires policy to be followed. Often they will not like this because they will have to spend more time “resetting passwords”. A small price to pay for security.
- Make sure your IT people are following the same procedure. We have seen often they circumvent it, because they have the authority
Lastly – Consider using a password manager software like Vault from ZOHO as a solution to your dozens of accounts.