Every time another bad news story breaks about a large brand’s network being attacked, passwords hacked, or customer data exposed, I get questions from friends and acquaintances who know that I know a thing or two about IT security. If you are in an IT, security, or compliance role in your organization, you probably get the same questions from co-workers. The slew of recent bad IT news from Target’s breach to the recent Heartbleed and IE bugs, and now eBay’s data hacked has everyone’s attention.
If your company’s employees are feeling a bit exposed by data breaches in the news, like hackers can see right through them, they may be right. But you can use the questions raised by all the buzz to your advantage. This is the perfect time to boost awareness and conduct training around password, IT, and even physical security within your company.
What should you tell employees about password security?
Do not reuse passwords
In the statement released by eBay, the company urged users to use unique passwords on all their accounts.
“In addition to asking users to change their eBay password, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts.”
Of course that makes sense. But, admittedly, it is not easy to do. Nevertheless, the routine news of major data breaches needs to get consumers’ attention. How many users on your network use the same password they used on eBay, Facebook, or e-commerce sites that may or may not have tight security or encryption in place? How would you know? Use the eBay example to explain to them why this is dangerous.
Make passwords strong
A recent study of medical devices at several facilities within one health organization in the Midwest revealed weak passwords widely used throughout the organization to access systems that were linked directly to equipment necessary for patients’ treatment and safety. The study revealed passwords like “password” and “1234” were used all too often.
Do not just tell people to make strong passwords – tell them what that means and why it is important. Your organization should decide what is a sufficiently complex password for your systems – how many characters and types of characters, numbers, or symbols should be used. Most of your employees are probably unaware of the powerful tools hackers now have at their disposal to break basic encryption and gain access by brute force guessing users’ passwords. There is no reason to make it easy for them.
Beware of phishing attempts and report anything suspicious
CNN reported that “To hack into the eBay database, the cyber attackers managed to get their hands on “a small number” of eBay employee log-in credentials, the company said. They then used that to worm their way into eBay’s corporate network.”
eBay has not confirmed how the hackers gained access to log in information for a few employees. But you can use this example to illustrate that cyber criminals do not necessarily need to execute a sophisticated attack on the network. Often, a simple attack targeting a single employee will give them all the access they need.
With the extensive personal information that may have been compromised in the eBay breach, everyone should be aware that they could be more vulnerable to phishing attacks and socially engineered strategies to entice them to reveal more critical information. This is a danger for users both at home and for their professional online and network security.
What can you do to reinforce password security?
Train and retrain
As a major part of your regular security training and communications with your company’s employees, explain why password security is so critical to the security of the network, the customers and/or patients, and to every employee. Explain how hackers can use the entire dictionary and powerful computers to break encryption and how they must make strong passwords to thwart such attempts.
This training must be routine and must be updated regularly for all employees. It is also critical that your communication with employees about password and IT security be frequent.
Give Employees the Tools to be Secure Online
Even security minded employees struggle to come up with unique passwords for all their online accounts. It’s not easy! As part of your password security training, give employees tools that will help them put better security into practice in their professional as well as personal online activity. Explain to them the benefits of password management tools, two-factor authentication, and password best practices.
Password management tools like Roboform and Lastpass
Using two-factor authentication whenever possible.
Through PayPal’s Mobile Security Key, two-factor authentication is available for free to eBay users. Two factor authentication is simply a second line of defense that is becoming more common and is available on most popular sites.
Password best practices:
- Using mixed types of characters
- Using a secure password generator
- Using a long, complex “passphrase”
- And never use the same password twice.
Create Policies that Require Good Password Practices
Ultimately, there is too much at stake to rely solely on the good intentions and ongoing vigilance of your employees. Reinforce the training and encouragement you have supplied with policies and procedures that are appropriate for your environment and that require strong password creation and management from all employees.
Your policy, like this example from the SANS Institute can
- Specify parameters for passwords used within the system (length, complexity, management, etc.)
- Specify when and where employees may access the network (address remote/BYOD access).
- Notify employees that test hacking will be conducted randomly and that they will be required to change any password you are able to hack.
For more information and guidance in developing your company’s password policy, review this Guide to Enterprise Password Management from the National Institute of Standards and Technology (NIST).
Malicious hackers will continue to devise new ways to gain access to your secure systems and sensitive data. Some risk is unavoidable…All the more reason to avoid any risk that is within your power to avoid. Strong password security policies and procedures within your organization will lock out a large portion of your company’s risk allowing you to focus on other areas of vulnerability.
These tips should help you explain the importance of strong password management to your colleagues and provide a framework for the necessary policies and procedures to prioritize password management within your organization. If you need assistance developing appropriate policies and practices within your organization, please contact us today.