At the heart of any effective cybersecurity posture lies well-developed security policies and plans. You need these documents to demonstrate to stakeholders and employees how your company protects itself and its information technology assets. Safeguarding your most precious information assets is not just a job for hardware and software. It's also the responsibility of staff to be part of the solution. This can be accomplished by setting clear and effective password policies.
It is essential to have comprehensive policies around password management for both network administration and your employees. These policies provide proper guidance on the complexity, frequency, and process needed for adequate protection from hackers in your particular industry. Below are some universal policies that can be applied at any company:
1. Change default passwords on all your network devices.
When bringing new equipment to your organization, such as a new router, ensure that the manufacturer's applied password is changed. It should be something more complex that meets your organization's password policy. Passwords that lack complexity can be looked up very quickly by cybercriminals familiar with the factory-applied defaults.
2. Always use different unique passwords for work accounts and personal accounts.
End users should understand the importance of using password that are unique and complex for their work accounts. Modern hackers are experts in social engineering. If an employee's personal account is compromised, it is not difficult to learn where they work through social media outlets like LinkedIn or Facebook. If the same passwords get used across personal and business platforms, then it is a simple plug & play exercise using hacking software for the criminals to gain access.
3. Ensure passwords are complex and nonsensical.
Password complexity is evolving. It's not as simple as swapping "e" for a "3" or adding a number at the end of a string of letters. These methodologies are now considered common habits. Your best bet is to make your password less predictable and more complicated. Here are a few best practices for password creation:
- Each user should have a unique password with a 12-character minimum. One consideration is switching to pass-phrases. These are more effective than simple passwords. a pass-phrase may use simple words, but they are strung together in a sentence that increases the complexity, length, and user recall. (ToBeOrNotToBe, ThatIsThe?)
- Passwords should contain alpha-numeric, upper- and lower-case characters. This tactic satisfies most password complexity policies. As in the example above, the pass-phrase can be modified to include alpha-numeric, upper and lower case, and special character requirements.
- Arranging passwords in a nonsensical manner makes them more difficult to hack. (your dog, cat, children, and birthdays can be found easily on social media). The pass-phrase above can be modified to put the end of the sentence first and still be remembered easily.
The above password policies will get you started, but one point that should not be overlooked is the idea of 'Password Fatigue'. Nobody wants to remember one more unique and complex password. As a matter of fact, 99% of employees reuse passwords across their business and personal accounts. The good news is that there are solutions available that will allow an employee to seamlessly and securely connect to multiple corporate apps using just one password for all. By enabling solutions such as multi-factor authentication (MFA) along with single sign-on (SSO) you can relieve the burden of password fatigue while increasing cloud security.
If you are looking to develop and maintain a password policy and other critical security policies, we can help. Ask about 'IT-Policies-as-a-Service', which is an annual service that enhances your company's focus and attentiveness on security and continuity needs.
Reach out with any questions by emailing firstname.lastname@example.org or call 888.624.6737 to speak to a Systems Engineering representative. Clients, please reach out to your Account Manager.