By: William Orellana, Director of Support Services at MXOtech
Your organization can take every precaution to prevent against a cyberattack — firewalls, anti-virus, anti-malware, spam filter, etc. But your biggest liability isn’t lurking in the cyber shadows: they’re sitting in your office. And failing to enforce employee password policy requirements could put your Chicago company at risk.
The simplest way to close your security gaps
Employee negligence is responsible for 30 percent of security incidents — any event that compromises the confidentiality, integrity or availability of an information asset — according to Verizon's 2015 Data Breach Investigations Report.
Documenting and enforcing strong password policy requirements is an easy way to remedy security vulnerabilities and prevent unauthorized access to your company data.
How to enforce password policies for your Chicago business
You’ve created a password policy for your staff. But defining password rules and best practices is only the first step. If you’re not enforcing these policies, your team could still be reverting to outdated password rules.
Luckily, you don’t need to spend hours educating your team on password best practices to gain peace of mind with passwords. You can enforce technical password requirements using the server sitting in your local Chicago office or the cloud.
Your IT team can set up password polices that force staff members to update their passwords per industry best practices. This is a simple change that, with some simple planning, won’t cause any downtime.
6 technical password policy requirements
To protect your company data, your technical password policy should include the following:
1. Rethink password expiration policies
Studies have shown that demanding employees to change passwords often could actually do more harm than good. When forced to update passwords regularly, people tend to choose weaker, more predictable passwords that hackers can easily crack.
There are plenty of cases where passwords should be updated. For instance, if passwords may have been compromised, require your employees to update them.
2. Protect against hashing and duplicate passwords
Make sure team members cannot repeat previously used passwords. This includes password hashing — where letters in previous passwords are replaced with symbols and numbers. Algorithms can now guess hashing patterns with impressive accuracy.
3. Don’t allow passwords containing usernames
Including your name in your password is weak and predictable. Make sure to set up rules that disallow this practice.
4. Enforce length rules
Passwords should be at least 8 characters in length. Offer employees helpful tips for creating even more secure passwords, like using phrases or sentences.
5. Require password complexity
Strong passwords include an upper case letter, a lower case letter, a number and special character. Make these prerequisites for all employee passwords.
6. Use password phrases
Choosing phrases for your password that have a personal connection to your life, instead of words, are more difficult for someone to hack.
Use phrases like “I love the cubs” but make it unique by altering some of the letters to be numbers or symbols to get Il0ve the Cub$2017! A phrase about a sports team you like is easy to remember and creates the required complexity.
Still think you might have a hard time remembering your passwords?
Try a tool
Utilizing a password management tool makes it easy for you to remember your complex passwords. If you are going to utilize a one, here’s what I urge you to keep these points in mind:
- Find a tool with great reviews and one that’s recommended by industry experts. For personal use, MXOtech recommends using 1Password. This is a subscription based service that most of our engineers use.
- Free doesn’t always mean it’s good.
- Make sure the service utilizes some form of two factor authentication (also known as 2FA or multi factor authentication) or a secondary encryption password.
How does two factor authentication work?
Not only does it require a username and password, but multi factor authentication also requires a piece of information that only the user knows. For example, the user will input his or her username and password and then be prompted to enter his or her phone number. The system will then send a unique one-time-only code to the user’s phone and ask the user to input that code into the system before the login is granted. This means that a hacker would need the credentials for the account AND the user’s cell phone.
What about security questions?
Security questions are often asked when creating web based accounts. At MXOtech, we recommend you avoid using common questions and answers. Don’t use a question that is easy to find by the means of social engineering. For example, people who have grown up in Chicago would most likely answer the question “Where was your mother born?” with Chicago. However, that’s a very easy answer to guess. So, either choose a question you can give a more unique answer to, or lie. Lying on the answers is the safest bet, just make sure you keep your answers handy.
Don’t leave your digital security to chance
Cybercrime is on the rise — and growing fast. In 2016 alone, 1,093 data breaches were reported, exposing nearly 36.6 million records, Statista found. That’s up 600% since 2005.
At MXOtech, we’ve spent 12 years providing IT security services to businesses throughout Chicagoland. We’ve found that decision-makers often fear disrupting normal employee workflow. So they fail to enforce policy changes — or create any at all.
But once they put these password requirements in place, password best practices become a normal part of their workflow.
Passwords are the gateway to your critical company data. With breaches happening more frequently than ever, you can’t afford to allow weak passwords to compromise your data. Security needs to become an integral part of your employee culture to have the best shot at thwarting an attack.
I hope you found these password policy requirements helpful in securing your Chicago business. But if you have more questions about password policies, or need help training your employees on security best practices, please contact MXOtech today. Let’s have a conversation about how our Chicago IT security services can safeguard your business!
Call us to get started: 312.554.5699