Should you bother with a password management policy right now? Or, should you focus on other ways to improve your cybersecurity?
The answer to the first question is yes, you need password management. However, you need to scale that policy to match the size and complexity of your business. Before we dive into the fine details, you need to consider the big picture. Why are we bothering with a password management policy in the first place?
Why Companies Create and Enforce Password Management Policies
Password management policies had their origins in technology development. Programmers needed to set basic requirements for passwords in the software they create. At first, these “password policies” were painfully basic, such as “passwords must be eight characters.” In the Internet era of constant hacking incidents, everything has changed. Hackers started to release reports about the most commonly used passwords.
Take this one password survey example released in late 2017. Are you using any of these basic passwords?
The last password on the list is particularly problematic because “admin” is usually a default password. If people are still using “admin” as a password, it suggests they haven’t bothered to come up with a new password. The continued use of these simple, easy-to-hack passwords is the top reason why you need a password management policy.
When Do You Need To Improve Your Password Management Policy?
Your organization surely has some level of password policy. At a bare minimum, you have a collection of distinct passwords for different products and systems set by Microsoft, Google, and other outside companies. This random mixture of different password rules doesn’t add up to a secure environment though. How do your employees know what they need to do every day? Where do you have password weak spots? These questions are tough to answer if you have this rudimentary approach to password management.
You need to improve your password management policy when you start to observe the following changes.
- Your company is preparing to go public. Regulators and investors have high expectations of public companies.
- You operate in a regulated industry such as healthcare or financial services. If you operate in one of these industries, a strong password management policy matters.
- GDPR impacts you. While this European regulation is primarily about privacy protection, it implies password management. With weak passwords, it’s tough to protect customer data.
- You use multiple cloud services every week. Each new cloud service you add represents another security challenge.
- You have suffered a cybersecurity incident. When your company suffers a hacking incident such as those faced by Sony, Target, and Equifax, it’s a wake-up call to investigate your entire approach to security. Sadly, using weak passwords such as “admin” is often part of the story.
- You are taking on large, enterprise customers. Are you ready to take on Google as a customer? What about Wal-Mart? If you’re hungry for Fortune 500 customers, you need to prepare your organization to meet their demands. Those demands include high expectations for cybersecurity and password management.
The Fundamentals of a Password Management Policy
While the details will need to be tailored to your company’s situation, there are certain principles that need to be considered. Use this checklist to see if your password management approach is on the right track.
- Rationale: Start with why you have a password management policy at all. In brief, passwords are a critical security element. With weak passwords, the likelihood of a hacking incident goes up.
- Scope: Explain what your password management policy covers. If you have a simple environment, you might list every specific system and application. Alternatively, list broad categories of internally developed systems, cloud/SaaS applications, and vendor-provided systems.
- Best Practices: In this section of the policy, provide clear guidance on what to do and what not to do. This is also a good place to reiterate a “clean desk policy” to discourage users from putting passwords on their monitor or elsewhere in their office.
- Consequences: Explain what will happen if the password management policy is not followed. At a minimum, such behavior exposes employees, assets, and customers to increased risk.
- Support and Resources: Provide links to other resources inside the company (e.g., other relevant cybersecurity policies and procedures). Also, provide contact details so employees can ask questions and get help if they need it.
After you do the hard work of improving your password management policy, you need to spread the message to your employees.
How to Promote the New Policy
Use the following methods to spread the message to your employees about new expectations for password management. Note that if your organization is under pressure to demonstrate improved cybersecurity (read: you are responding to a hacking incident!), you’ll want to apply extra effort on these steps.
- Publish and promote the new policy. Publish the password policy and supporting procedures on your company’s internal website. Send out a broadcast email to alert employees about it.
- Organize team meetings. Ask each manager to review the password policy with all of his or her direct reports.
- Employ special training for high-risk users. Managers, IT security staff, and auditors are some of the people who need to receive enhanced training. They possess powerful credentials and need to understand how to protect them.
Resource: Not sure how to design and deliver effective IT security training to employees? We have you covered. Check out our article: How to Deliver Password Management Training to Your Employees This Week.
What Resources Make Password Management Easier?
Improving password management takes time and effort. Is there a shortcut to improved security? There are a few! Start by looking at the IT security solutions you have in place. For example, are you using Avatier Single Sign-On to simplify daily life for your employees? Using single sign-on cuts down the number of passwords employees have to memorize.
You may decide that it’s time to join Amazon, Google, and Facebook in providing multi-factor authentication. To simplify multi-factor authentication, we recommend using Password Station.