While some companies are pretty strict about their cybersecurity policies, others adopt a more flexible approach. The problem with the former is that being too rigid can actually be counterproductive – it's like trying to control the tide.
You might succeed in keeping a part of the shore dry, but you have to be careful with the rising water that might find its way through. That is also the reason why during October – National Cyber Security Awareness Month (NCSAM) and European Cyber Security Month (ECSM) – we want to contribute to a discussion on a different approach: should business security be simpler?
Over the years, passwords have evolved quite a bit. They grew in length and complexity, but most significantly in numbers. And employees are often the ones who have suffered as a result of this trend.
They are asked to remember more than a dozen security codes for work accounts, work-related and personal apps, online services, emails, smartphones and other devices. Moreover, that they are advised to be at least 10 characters long, contain capital letters, numbers and symbols, compounds to the difficulties of managing and recalling passwords.
However, what some employees do instead is create a single strong password for all their services and devices or have multiple easy to remember ones. Yet both of these strategies present a risk, one that could possibly lead to a damaging security breach (to both your organization and your clients).
So what can businesses do to break the vicious password cycle?
There are different things to keep in mind. One of them, by CESG, the UK National Technical Authority for Information Assurance, suggests companies adopt a simpler approach starting by cutting the number of passwords.
If an app, service or device isn’t essential for the business, a good rule of thumb is to only require simple passcode or use other less demanding security measures. The other way to address the password overflow is by pre-installing a password manager from a respected vendor to employee devices.
It also recommends less frequent password changes. If you push people to modify their security codes too often, they end up sometimes making minor changes or, even worse, they could use post-it notes for “storing” the codes on their table.
Finding the right balance when setting the period for password renewal might be tricky. Extending it might be a more effective approach, but companies should also keep in mind that the longer a passcode is used, the less secure it becomes.
It is advised you support the usage of strong passwords by using strength meters and blacklists of the most common choices. That way your people know in an instant if their pick is secure enough or not.
But no matter how strong the passwords are, your company might still be vulnerable to brute-force attacks (automated guessing of large amounts of passwords). By applying account throttling (prolonging the time to make another login attempt) and account lockouts (locking the account after approximately 10 unsuccessful logins) you reduce the risk without overloading your people.
Banning personal devices? Simple rules for better management
It isn’t all about passwords, you may say. And you are right, as the risks may also come from private devices used by employees for work purposes. But if you are thinking of banning this practice, you might have to think twice. As surveys have shown, a great number of people will smuggle their devices to the workplace anyway.
For example, you can advise your people to use screen locks on their smartphones and tablets, passwords being the strongest option, but even PIN or pattern logins are better than no security at all.
Using encryption for all data is also a good idea. Instruct all your employees who use private laptops, tablets or smartphones to apply at least the pre-installed built-in solution or recommend reputable software of your choice.
Is work from home one of the perks your company offers? If so, apply two-factor verification for remote connections. Generating unique one-time password for every login provides an extra layer of security for the sensitive data and makes it much harder to crack. What’s more, installing such a solution onto the smartphone makes it simple to use and easy to carry around.