How to Define Password Policy for Your Organization?

User credentials are everything that hackers search for, and easily available ones can ruin more than the obvious, especially for corporate accounts. Stolen user credentials are the keys for the cyber attackers to unlock critical and sensitive company information and vital IT systems. Employees must never overlook the importance of a strong password policy for their organization. Even for personal devices, it is a must to have a powerful password combination. Let’s dig in further.

Stolen credentials pose the greatest danger to organizational IT security

According to a Verizon study¹, 63% of data breach cases involving the misuse of weak, default, and stolen passwords; out of which 83% were not discovered for weeks. The real damage happens between the time the hacking takes place and the time it is detected. Hackers abuse the stolen passwords to install malware or spyware on a company’s device or network to extract sensitive information before the IT detects the data-breach. As a matter of fact, no company, irrespective of its size and geographical locations, is immune to cyber-attacks and data hacks and hence, it comes even more important to gain an in-depth understanding of the threat landscape and ways to protect corporate data and detect any possible threats.

One of the commonest ways that hackers use to penetrate corporate systems is by phishing attacks, wherein an employee might receive a seemingly harmless email that asks to reset the existing password. As soon as the recipient enters the current password, the hacker gets it to infiltrate the systems and networks. Clicking on these malicious links doesn’t only lead to stolen passwords but also gets the malware installed on the company system. And this is where the horror begins!

Read This: Are you aware of these iOS Enterprise Security Vulnerabilities?

Companies need to have a strategy that defines a password policy enforcement

As we continue keeping our private communication, financial transactions, and health-related details in cloud storage and digital devices, we invite hackers’ attention to access sensitive personal information posing serious security threats. This becomes a graver problem when it comes to jeopardizing organizational data. After all, enterprise data is worth millions, and its breach can cause irreparable damage to finance as well as to the brand. Having a strong password policy and fostering an overall security-driven culture can be the first and foremost step towards protecting confidential user/corporate information. Building a fool-proof strategy is crucial to define a strong password policy across the company. The following steps should help.

Step 1 – The IT team needs to play a powerful role

To start with, it is inevitable for the IT team to play a powerful role in educating the rest of the company including in-house and remote workers about the importance of a strong password and the kinds of risks and threats they might invite in the absence of one. Describe all the common as well as rare security risk scenarios and the reasons behind the attacks and explain the types of loss that the company and employees would confront in case any of these cybersecurity attacks take place.

Step 2 – Start with a basic understanding of a strong password

A password policy can be defined as a set of rules that are created by an organization’s IT head to enhance the security of corporate data stored within the enterprise devices, systems, and networks. A strong password policy defined by the IT team motivates employees/users to create reliable and secure passwords and ways to store and utilize them responsibly. Password protection can also be taken as a part of a security enhancement training module to generate and spread awareness. An apt example of a really strong password is “eC<My!chO,quaj^of)naD}uM}rIew>Ap[Ek}E*quaC.eib(Tyb”.

Step 3 – Teach employees about how to create a strong password

Although it is frustrating for the employees to generate complex system/device passwords meeting unfamiliar criteria, it is imperative for the companies to enforce password policy. Ideally, a strong password must include a minimum of 8 characters or more (the longer the character length, the safer). It should not contain any predictable information or personal details like birthdays, real name,s or company name. It also should be different and unique, not matching the previous password, and should not be a word that can be spelled at one go. Lastly, it should contain characters from 4 major categories including uppercase alphabets, lowercase letters, special characters, and digits.

Also Read: Information Security: Corporate-Owned Vs Employee-Owned Devices

Password policy requirements should consider the following aspects:

• Define password history: Set a rule of how frequently employees can use old passwords. Generally, it restricts alternate usage of previously used and common passwords that can get them hacked easily. So ideally, it is best to enforce a password history policy that determines the number of unique passwords associated with an employee, before he/she tries to reuse an old one. Ideally, the minimum number of unique passwords should be 5.

• Decide a password age: It is imperative for the IT team to set an expiration date for employees’ passwords used at work devices. Users need to change their passwords periodically and the shorter the password change cycle, the better it is for security. At the same time, set a minimum password age to prevent employees from changing a newly-created password back to the previous one (that is easier to remember/relate to).

• Enforce a specific password length: It is advisable to include the use of passphrases to ensure that employees are following the rules of setting a password with the right length. It is crucial for organizations to define the total length of the password, which ideally should include 14 characters to add to its complexity and security.

• Define an account lockout policy: Include the account lockout policy that will determine the amount of time during which the system will remain locked out, after a certain number of invalid password entries. In ideal cases, the lockout phase after reaching a maximum number of wrong password attempts should be a minimum of 15 minutes.

Scalefusion MDM understands the importance of password policy enforcement in terms of corporate data security and employee privacy and hence allows the IT admin to enforce the required password policy along with other security settings across all device users.

Source:
1. enterprise.verizon.com