Passwords are often referred to as the first line of defence in protecting a wide range of business systems from security breaches. Companies need to have a strong, easily understood password policy in place, so employees understand their personal responsibilities.
In isolation, password barriers are insufficient as a means of keeping your network secure. It may be worth reviewing your infrastructure to consider whether password protection should be bolstered - or replaced - with more suitable measures.
Here’s what to focus on to ensure that employees can play their part in keeping your systems safe…
Provide a clear, usable policy
The policies you have in place should always be informed by the specific requirements of the systems you have in place. They should also be easy to follow from your employees’ perspective.
A typical policy might include the following requirements:
- Password length. A minimum of between 8 and 10 characters for your network passwords.
- Character types. Stipulate a requirement for a combination of symbols, numbers and letters.
- Uniqueness. If staff are routinely using identical or similar passwords across multiple accounts, it means that a single point of failure could potentially provide a way into multiple systems.
- Updates. You want to avoid the situation where required password changes come so thick and fast that the only way your employees feel able to keep track of them is by writing them down (on a post-it note on their desk, for instance). It’s a matter of striking the right balance between the need to update and change passwords from time to time on the one hand, and not making password renewal unnecessarily burdensome on the other.
Backing up your policies through training
Part of this includes explaining not just what they should be doing, but why they should be doing it. For instance, you would explain that thanks to automated cracking tools, cyber criminals can use brute force to attempt to break into literally thousands of systems in a short space of time. Hence, length and character make-up of passwords are vital areas to focus on.
Likewise, staff should be given instructions on how to ensure that passwords do not fall into the hands of outsiders through phishing attempts; so password protection training goes hand in hand with guidance on how to spot suspicious emails - and what to do if one arrives.
Combining passwords with additional security measures
An essential extra layer of protection can be added through two-factor authentication (2FA). Here, the user requires not just a password, but also something that only the user has access to - whether it's a physical token or an access code sent to their company mobile via SMS.
If secure access is required to multiple systems, it may also be worth implementing a Single Sign-On (SSO) solution. It may sound counter intuitive to have a single set of credentials for multiple applications and websites - but actually, this type of setup - where credentials are tied to a central authorisation and entitlements profile - can increase security across the organisation. It makes it easier to centrally monitor how, where and when those credentials are used. In the event that credentials are compromised, SSO can deliver an effective 'audit trail'; enabling you to track which accounts were subject to a breach attempt, where the breach took place and what was compromised as a result of it.
Above all, it’s important to ensure a joined-up approach when it comes to security across your organisation. Password usage policies, additional tools - along with filtering, encryption and malware detection - are all part of that jigsaw.