More

    Robust Passcode Policy for Improved Workplace Security: A CISO Guide

    “I’m not a robot”. Sure, you’re not, and that confirmation security net is to catch spambots. Humans have a beautiful and dangerous thing—the mind! A mind that creates robots and AI and ML algorithms—beautiful. A mind that can also find a way to breach or steal data—dangerous.  

    Ross Ulbricht, the notorious mind behind the dark web marketplace Silk Road, was arrested in 2013 and is currently incarcerated in a US prison. Yet, since the end of 2017, over 555 million passwords have been shared on the dark web. That’s a tormenting number for CISOs across the world. 

    Passcode Policy
    Passcode Policy from a CISO Perspective

    This blog intends to present the importance of passcode policy from a CISO perspective and the relevance Mobile Device Management (MDM) holds for the same.

    Impact of Poor or No Passcode Policy

    A report[1] amplifies the CISO ordeal. The average cost of a data breach in 2023 was USD 4.45 million. A 15% growth from 2020—faster than the global growth of many legit markets. And if the horror could get possibly worse—86% of organizational data breaches are due to compromised or stolen credentials, according to research[2].

    Data is the new real estate, and cybercriminals are well aware of that. A survey[3] found that 52% of people use the same passcode across accounts. While individuals keep falling prey to hackers through passcode breaches, the extent of reputational and financial damage to organizations is severe. 

    No wonder CISOs and their cybersecurity teams are experiencing burnout. Securing information has become an indomitable task in the ‘World Wide Web’ space. 

    But does it imply that organizations give in? That’s not even an option, right? The only option is to fight! And fight CISOs must! Organizational information security and policies involve many vitals, and passcode or password policies are one of those vital pulses. 

    As a CISO, you must make the most of passcode policies to raise the security bar of your organization. 

    Here are a few ways to do so.

    Don’t Keep It Simple!

    While the keep-it-simple-stupid (KISS) principle applies to many dimensions of life, it certainly has no room in your passcode policies. Keeping obvious and vulnerable passwords puts devices and networks to swords. 

    Talking about numbers, a study[4] is a dream come true for cybercriminals and the worst nightmare for CISOs. 

    • 31% use children’s birthdays or names as passwords (sorry, doesn’t make you a good parent!)
    • 34% use their partner’s or spouse’s birthdays or names as passwords (dumbest relationship goal ever!)
    • 37% use their employer name as passwords (is this loyalty? you’ve got to be kidding!)
    • 44% reuse personal account passwords at work (whatever happened to thinking capacity!)

    The focal point of any passcode policy must be to ensure that every password must be unique, complex, and lengthy. Mixing numbers rather than keeping a series (like 1234) is a good place to start. Changing certain letters as numbers helps too. 

    As per analysis[5], a password that contains 12 characters or more is a staggering 62 trillion times tougher for cybercriminals to hack than one with 6 characters. And yes, the strongest password is the one with 16 characters which has been extracted from a set of 200. 

    For instance, dogpersonsince1984 ticks the length box, but D0gP3rS0nS1nc39t3eN84 ticks the length, strength, and complexity boxes. The latter isn’t easy to hack by any means, and if passwords like that or d3AtHByCh0c0la8 too get compromised, maybe that hacker deserves to be a part of your security team. 

    Now that brings us to the stolen part. Let’s peek into that again via the report numbers (mentioned above[4]). 57% of employees write their passwords on sticky notes. 55% of them save on their phones and 51% on computers. These are very subjective numbers and intangible, too; therefore, they are something beyond what you can control. As a CISO, ensuring employees avoid the KISS principle and keep passwords like 1Am4r0MOuT3r5PaC3 is what you can control. 

    “Don’t KISS” has to be the thumb rule of any passcode policy.

    If It’s Strong, Why Change?

    Many organizations have a passcode policy that requires changing passwords frequently. Is that a necessity? Well, you can do without frequent password changes when employees follow “Don’t KISS”. Strong and complex passwords, like some mentioned above, have very little or no chance of getting hacked. 

    Employees will generally refrain from strong and complex passwords if they need to remember a new one every now and then. That’s when weak passwords (like Amanda@123) creep into your network system. But enforcing a periodic password change is great for overall security posture and is harmless! Discretion is needed, though.

    MFA, ASAP

    If you’re missing out on MFA or multifactor authentication in your passcode policy, don’t wait any further; implement it right away. MFA helps keep passwords secure as users need to log in with some specific information or action rather than just a password. OTPs, once only a BFSI thing, are now commonplace. 

    If e-commerce can go to the lengths to secure your account with an OTP, you can do your bit as well to secure your corporate data. FIDO authentication is another great option. MFA adds an additional layer of security to devices. Thus, even if the password is compromised, a hacker still needs one or more types of authentication to sneak in. 

    Train People and Spread Awareness

    Some CISOs are just fine with employees having the organizational passcode policy somewhere in their unread mail or in some work folder that was last visited on the day of joining. That’s where the thin line between a good CISO and a great CISO lies. Great leaders of security teams know that passwords are the primary gateway to information access. Therefore, a CISO must keep training people and spreading awareness about the importance of passcode policies. 

    Employees should know the repercussions of non-compliance based on their role in the organization. Keep the repercussions as serious as hefty financial penalties or even suspension and subsequent termination when passcode policies are not adhered to after repeated training and warnings. 

    Sooner or later, there’s every chance of passcode policies becoming ZTP (zero-tolerance policy), just like other non-negotiable workplace offenses. Why wait for a data security disaster? Why not make it a ZTP today?

    Using an MDM solution helps you heighten device and network security. You can push your passcode policy across a diverse range of devices through MDM, irrespective of the device or OS type. MDM lets you send security alerts and notifications and allows you to keep track of login sessions. Your security team will be notified instantly if there’s a case of multiple failed login attempts on one of your MDM-enrolled devices. You can then investigate the matter and take the required action, including locking the device and wiping its data on accounts of loss or theft. 

    Yes, You Can Keep A Secret

    There’s plenty to discuss with friends and family over some food and drinks. Passcode policy doesn’t fit in that discussion; in fact, it doesn’t fit in a discussion anywhere or with anyone. The only people a CISO should discuss passcode policies with are the IT team and direct authorities. 

    Mr. Hacker, Welcome Aboard

    You don’t have to be a cybercriminal to think like one. Foresight and innovation are marvelous traits for a CISO to possess. You can hire a professional hacker on an annual contract and ask this good cyber actor to attempt and hack into your device or network. This will espouse your passcode policy as you will become informed about any or all password-based loopholes in your organizational security. It will also keep you updated on how the bad actors prowl. You can then beat them at their own game!

    Embrace Passcode Policy with Scalefusion

    Capitalizing on a well-oiled passcode policy can consolidate organizational security. And as a CISO, that’s your KRA right there. An MDM solution like Scalefusion can help enforce stringent passcode policies across managed device fleets. You can set parameters such as length, complexity, change interval, failed login attempts, and more.

    Time to raise your organizational security bar by reaching our experts for a free demo. Enjoy a 14-day free trial by signing up now!

    References:
    1. IBM
    2. Google Cloud – Threat Horizon
    3. Google / Harris Poll
    4. Keeper Security
    5. Scientific American

    Abhinandan Ghosh
    Abhinandan Ghosh
    Abhinandan is a Senior Content Editor at Scalefusion who is an enthusiast of all things tech and loves culinary and musical expeditions. With more than a decade of experience, he believes in delivering consummate, insightful content to readers.

    Product Updates

    Embracing The Next Era with Veltar Endpoint Security Suite

    In 2014, Scalefusion aimed to transform device and user management by delivering comprehensive solutions that enhance enterprise security and operational efficiency. With a clear...

    Scalefusion Declares Day Zero Support for Android 15: Fresh Enrollment Ready!

    At Scalefusion, our decade-long expertise in Android MDM empowers us to confidently deliver Day Zero support for Android 15 fresh enrollments. For over 10...

    Expanding Horizons: Scalefusion Now Supports ChromeOS Device Management

    Scalefusion was built with the vision of being an all-encompassing device management platform that doesn’t restrict enterprises from choosing which devices and OSs to...

    Staying Ahead of the Curve: Scalefusion’s Solutions for a Smooth Transition to Apple’s New OS

    Apple's recent announcements have opened up new possibilities for users in both enterprise and personal spaces, thanks to groundbreaking advancements in iOS 18 and...

    Feature Round-up: July and August 2024

    Exciting updates have arrived from July and August 2024!  We’ve introduced a range of new features and enhancements designed to take your Scalefusion experience to...

    Future of Mac Endpoint Management: Trends to Watch in 2025

    We all know the feeling of a fresh start, and a new year perfectly symbolizes it, doesn’t it? Whether...

    5 Best Windows MDM Solutions in 2025

    The current global tech space, irrespective of the industry, has been fast and disruptive. In 2024, global technology spending...

    Must read

    Expanding Horizons: Scalefusion Now Supports ChromeOS Device Management

    Scalefusion was built with the vision of being an...

    Securing BYOD Environments with Comprehensive IAM Solutions

    The rise of the Bring Your Own Device (BYOD)...
    spot_img

    More from the blog

    5 Best Digital Signage Software Solutions in 2025

    If you walk across a mall or an airport today, you will see several eye-catching digital screens displaying a variety of content. Be it...

    5 Best Mobile Device Management Solutions of 2025

    Let's get this straight - with an increase in the number of mobile devices, many businesses - small or medium - rely on these...

    From manual to automated: Transforming patch management for modern IT

    Manual patch management was often sufficient in traditional IT environments, where systems were simpler and networks less complex.  IT administrators could efficiently handle updates,...

    Future of Mac Endpoint Management: Trends to Watch in 2025

    We all know the feeling of a fresh start, and a new year perfectly symbolizes it, doesn’t it? Whether it’s jumping on the latest...