User credentials are everything that hackers search for, and easily available ones can ruin more than the obvious, especially for corporate accounts. Stolen user credentials are the keys for the cyber attackers to unlock critical and sensitive company information and vital IT systems. Employees must never overlook the importance of a strong password policy for their organization. Even for personal devices, it is a must to have a powerful password combination. Let’s dig in further.
Stolen credentials pose the greatest danger to organizational IT security
According to a Verizon study1, 63% of data breach cases involve the misuse of weak, default and stolen passwords; out of which 83% were not discovered for weeks. The real damage happens between the time the hacking takes place and the time it is detected. Hackers abuse the stolen passwords to install malware or spyware on a company’s device or network to extract sensitive information before the IT detects the data-breach. As a matter of fact, no company, irrespective of its size and geographical locations, is immune to cyber-attacks and data hacks and hence, it comes even more important to gain an in-depth understanding of the threat landscape and ways to protect corporate data and detect any possible threats.
One of the commonest ways that the hackers use to penetrate the corporate systems is by phishing attacks, wherein an employee might receive a seemingly harmless email that asks to reset the existing password. As soon as the recipient enters the current password, the hacker gets it to infiltrate the systems and networks. Clicking on these malicious links doesn’t only lead to stolen passwords but also gets the malware installed on the company system. And this is where the horror begins!
Companies need to have a strategy that defines a password policy enforcement
As we continue keeping our private communication, financial transactions and health-related details in cloud storage and digital devices, we invite hackers’ attention to access sensitive personal information posing serious security threats. This becomes a graver problem when it comes to jeopardizing organizational data. After all, enterprise data is worth millions and its breach can cause irreparable damage to finance as well as to the brand. Having a strong password policy and fostering an overall security-driven culture can be the first and foremost step towards protecting confidential user/corporate information. Building a fool-proof strategy is crucial to define a strong password policy across the company. The following steps should help.
The IT team needs to play a powerful role: To start with, it is inevitable for the IT team to play a powerful role in educating the rest of the company including in-house and remote workers about the importance of a strong password and the kinds of risks and threats they might invite in the absence of one. Describe all the common as well as rare security risk scenarios and the reasons behind the attacks and explain the types of loss that the company and employees would confront in case any of these cybersecurity attacks take place.
Start with a basic understanding of a strong password: Password policy can be defined as a set of rules that are created by an organization’s IT head to enhance the security of corporate data stored within the enterprise devices, systems and networks. A strong password policy defined by the IT team motivates employees/users to create reliable and secure passwords and ways to store and utilize them responsibly. Password protection can also be taken as a part of a security enhancement training module to generate and spread awareness. An apt example of a really strong password is “eC<My!chO,quaj^of)naD}uM}rIew>Ap[Ek}E*quaC.eib(Tyb”.
Teach employees about how to create a strong password: Although it is frustrating for the employees to generate complex system/device passwords meeting unfamiliar criteria, it is imperative for the companies to enforce password policy. Ideally, a strong password must include a minimum of 8 characters or more (the longer the character length, the safer). It should not contain any predictable information or personal details like birthdays, real name or company name. It also should be different and unique, not matching the previous password and should not be a word that can be spelled at one go. Lastly, it should contain characters from 4 major categories including uppercase alphabets, lowercase letters, special characters and digits.
Password policy requirements should consider the following aspects:
Define password history: Set a rule of how frequently employees can use old passwords. Generally, it restricts alternate usage of previously used and common passwords that can get them hacked easily. So ideally, it is best to enforce a password history policy that determines the number of unique passwords associated with an employee, before he/she tries to reuse an old one. Ideally, the minimum number of unique passwords should be 5.
Decide a password age: It is imperative for the IT team to set an expiration date for employees’ passwords used at work devices. Users need to change their passwords periodically and the shorter the password change cycle, the better it is for security. At the same time, set a minimum password age to prevent employees from changing a newly-created password back to the previous one (that is easier to remember/relate to).
Enforce a specific password length: It is advisable to include the use of passphrases to ensure that employees are following the rules of setting a password with the right length. It is crucial for organizations to define the total length of the password, which ideally should include 14 characters to add to its complexity and security.
Define an account lockout policy: Include the account lockout policy that will determine the amount of time during which the system will remain locked out, after a certain number of invalid password entries. In ideal cases, the lock out phase after reaching a maximum number of wrong password attempts should be a minimum of 15 minutes. Scalefusion MDM understands the importance of password policy enforcement in terms of corporate data security and employee privacy and hence allows the IT admin to enforce required password policy along with other security settings across all device users.