Passwords remain a core security method, and they continue to be a weak point. Despite the best efforts of cybersecurity advocates, many business users reuse personal passwords at work, use weak or obvious passwords, such as “password,” and store their passwords in non-secure locations. The standard response to these problems? Enforce highly complex passwords. Unfortunately, that cure is worse than the disease.
Why Increasing Password Complexity Hurts Security
Put yourself in the shoes of regular business users at your company. For them, security matters are not a top concern. In fact, they might complain about the onerous nature of cybersecurity in the annual employee survey! Now, if the cybersecurity department decides to make passwords more complicated by requiring ten characters instead of 8 or requiring frequent password changes, how will rank and file employees respond?
Many employees are likely to respond to increasing password security by using workarounds. For example, you might see more Post It Notes with passwords written on them. Alternatively, business users might increase their reuse of passwords. In essence, increasing password complexity appears to solve one problem (weak passwords), but ends up creating another problem, poorly managed passwords.
Fortunately, there are other ways to achieve the goal of increased company security without driving employees crazy. The solutions you choose will depend on your risk profile. To make a practical decision, take the time to consider several different options.
What Are Other Ways to Improve Security Beyond Changing Password Complexity?
It’s time to think more broadly about your organization’s approach to passwords. Rather than beating employees over the head with complicated, difficult-to-remember passwords, use these options instead.
- Streamline Password Management With Better Tools
What if your employees had the opportunity to request and make password changes easily? If you force employees to call a help desk, you are adding an unnecessary barrier. In fact, you are forcing them to admit they forget their password. Even worse, employees might get frustrated if they are forced to wait for help. What’s the alternative?
Use a streamlined password management solution. Naturally, we recommend Password Station. It provides a self-serve approach to passwords so that employees can get on with their work faster. It also saves time for your help desk. From a management standpoint, you don’t have to worry about maintaining records. You can keep all your documentation directly in the system.
- Enhance User Provisioning From Day One
As Dark Reading, a cybersecurity news website reported, employees use over 150 different passwords each month. That is a problem! What if there was a way to reduce this level of password overload quickly?
Rethinking your user provisioning process is one solution. For example, instead of giving every employee access to every system, adopt a stricter process. Do back office employees need access to customer service systems? Usually, the answer is no. Therefore, your user provisioning approach should restrict access accordingly. You could review user IDs for each employee to rationalize the process. But the better approach is to set up standard profiles for each type of role (all customer service representatives receive the same access, etc.).
To help companies improve their user provisioning, use Identity Enforcer. This approach also saves time when it comes to compliance reviews (including SOX 302 and 404 compliance reviews), a major responsibility for publicly traded companies.
Tip: Are you hiring new employees and contractors into your organization this year? Help them ramp up to productivity standards by streamlining user provisioning. By equipping new hires with fully functional user IDs on day one, you will create a great impression and increase employee engagement. For more insight on this benefit of user provisioning, read our article, “Boost New Hire Productivity With User Provisioning.”
- Use Single Sign-On Software to Optimize the Number of Passwords
Reducing the number of passwords your employees have to worry about matters. If they only have one or two passwords instead of twenty, it is far easier to ask them to create strong passwords. How do you make that happen? Simply use single sign-on software to streamline security.
Unfortunately, connecting multiple backend systems to a single sign-on isn’t easy. A bank or other large company might have mainframe systems, modern web applications, and desktop applications. How do you provide a seamless way to sign on to them all? Use Avatier’s Single Sign-On solution because it simplifies security and keeps your SaaS licenses in check.
- Improve Employee Cybersecurity Training
Without the awareness that security issues matter with tips on how to do better, your employees will struggle. Did you know that some organizations only provide security training to employees once (on the first day)? That approach means that older employees will gradually forget their security responsibilities as they focus on their primary work responsibilities.
Deciding what to cover in your employee cybersecurity goes beyond the scope of this article. We can, however, offer a few tips to point you in the right direction. First, provide enhanced training to managers and supervisors to ensure that they understand how to oversee their staff. Second, focus on cybersecurity principles that will help employees make smart decisions rather than attempting to create a rule for each situation. Third, educate employees on where they can go for help on security matters.
- Use Multi-Factor Authentication (MFA) to Reduce Reliance on Passwords
Face the facts; a single text password is easy to attack. How can you give your passwords additional support? We recommend using multi-factor authentication. For example, ask employees to use a traditional password and a company smartphone app to authenticate. This approach is especially useful when employees are traveling or are outside the office. In those non-traditional environments, it is easier for a third party to attack your company through an open wireless network or by “shoulder surfing” (standing behind an employee while they use their computer in a public place). Banks, Amazon, and other large companies have already introduced this method, so you will be in good company.
Which strategy will you use to improve your security this year?