Your employees most certainly juggle dozens of accounts on a daily basis, be it e-mails, social media or mobile apps. They all require registration the only security measure used is password protection. While passwords are here for our safety, sometimes it’s akin to finding the right key in your pocket to unlock your doors. It takes a lot of fumbling till you find the right one.
That’s why, in our laziness and lack of foresight, we often take shortcuts. We choose bad passwords and don’t care much about safety – that is, until our business e-mail account gets compromised. But then it’s too late to cry wolf, and after you restore your data it’s all too easy to fall victim to old habits.
We want to show you that good password security need not be tedious or difficult, while at the same time still giving users a great deal of account safety. Here are some simple steps you can take to educate your employees and help prevent costly mishaps.
1. Use passphrases
P@$$w0rdS like that one can be extremely difficult to remember. The attempt to use uppercase, lowercase characters, numbers and symbols is theoretically sound. There are more characters to guess from and the password is harder to crack, but long strings of nonsensical characters don’t play well with our memory, especially if there’s a couple of them to remember.
That’s why it’s a clever idea to string a number of words together to form a passphrase. They are relatively safe due to the long number of characters, even if you use lowercase letters only. However, don’t use common and oft-repeated phrases, including those from literature. Give your staff some food for thought: entice them to think of unique phrases that relate to their life situation, but don’t follow the exact sentence syntax. For example, ‘moustache bear wrestling Canada’ is a unique and easy to remember phrase to a certain moustachioed Pete from IT who has been to Canada and wrestled a bear.
If that’s not your cup of tea, entice your staff to think of something else that they’ll find easy to remember, but which contains 30+ characters. If you want them to use R€gű[email protected] passwords, make sure they are 10+ characters long.
2. Security questions
Security questions often require information of seemingly personal nature, but you’d be surprised how much of it can be found simply by Googling. Your wife’s name? Easy as pie. The name of your high school? It’s a few clicks away. You don’t want these questions to protect your or your employee’s account, do you?
That’s why you should audit all tools and apps that your company uses and make sure they don’t ask such trivial questions of your employees. Avoid all security questions the answer to which could be considered common knowledge.
3. Public Wi-Fi? It can wait
Public wireless networks are not secure enough for data processing. Traffic can be snooped, tracked and intercepted. Even though it’s true that communication with servers when logging in should be encrypted, it may not be the case for all services and your password could be sent in an easily recoverable form.
If it isn’t that urgent, it’s best to cut your staff some slack and let them work from home or an office, especially if they’re handling sensitive data. Conversely, educate your employees that working from a café is not appropriate if they’re processing sensitive company or personal data. Besides, that could constitute a breach of the GDPR in and of itself.
4. Use different passwords
Using the same password for all accounts is just asking for trouble. If one of your employee’s (private) accounts gets compromised, this puts all of them at risk – even their business logins. Hackers know that, and will often try to log in and gain access to their other accounts as well, particularly if the same e-mail address was used in the registration process.
There are no easy ways to prevent that – except perhaps by mandating passwords longer than the usual 8-10 characters that most use.
5. Change passwords
It’s good practice to periodically change passwords, and in fact you could require regular password ‘refreshes’ every few months. We recommend changing them, but not too often. It can be tedious, but it’s a fantastic way of ensuring that accounts don’t get ‘hacked’ even if the password gets exposed accidentally.
Resetting a password is very easy and shouldn’t take more than a few minutes. However, you should gauge how likely the employees are to remember them. If it results in them writing down their passwords on post-it notes or keep them in a text file on their desktop, you’ll actually make the problem worse. That’s counterproductive, unless they are stored store them in a safe place away from the computer (which they usually aren’t).
Because it’s difficult to remember new passwords all the time, we recommend password managers.
6. Password managers
These tools help users generate safe passwords and store them safely by encrypting them with a single, master password – the only one they’ll have to remember. This lets users avoid the pitfall of using the same password for all services.
Instead of storing passwords on post-it notes around their desks (which is a horrible thing to do), when using password managers the stored passwords are safe, even if someone steals a phone or laptop containing this data.
LastPass and TrueKey are examples of well-built password managers that you can give a try and perhaps turn into company policy.
7. Security software
This piece of advice is as old as the hills, but it’s still relevant in the age of always-on, cloud-enhanced PCs and phones.
A basic firewall and antivirus software are a necessity these days. Various keyloggers, although declining in prevalence, can still be employed to relay all keystrokes to a malicious attacker. Most antiviruses and antispyware programs will swiftly deal with the issue. It’s less a matter of which product to pick. Even the basic bundled Microsoft antivirus will do, but make sure the IT department keeps it updated and educate employees to that they don’t install shady apps or visit insecure websites.
Caring for your employees’ online security may seem like a patronising task, but that couldn’t be farther from the truth. Most of these measures are simple, user-friendly and nonintrusive. They only require minimal effort and time investment on everyone’s part – even though you’ll certainly encounter resistance when rolling out these changes. Don’t give up! Don’t let your company’s data get compromised out of ignorance and laziness! It’s fine to learn from our own mistakes, but it’s even better to learn from the mistakes of others and prevent the embarrassing and profound consequences of having your data leaked or stolen.