In an ever-evolving IT environment with increasing threats and complexities, it's more important than ever to protect your data. Data breach has become an all too common news headline and can have detrimental effects on your business. Aside from the obvious implication of theft of information, an organization’s reputation can often be the biggest hit, and the hardest to recover from.
Take the most recent breach scandal regarding credit reporting agency Equifax. Hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license and credit card numbers. Gaining back the trust of the public after this breach will be no small feat. Perhaps the hardest pill to swallow is that the entire situation could have been avoided. To ensure it will not be you left cleaning up a massive PR mess, take pro-active steps to protect your data, namely the 6 steps I will explain today.
Where’s the first place to start? Passwords. The best encryption and data protection software in the world are as good as useless without a sound and secure password policy in place. Password compromise is still the leading cause behind most data breaches. In 2014 two out of three breaches involved attackers using stolen or misused credentials (Higgins 2014). In this blog, we are going to outline six tips for implementing and maintaining an efficient and effective password policy.
1. K.I.S.S. Model
Keep It Simple, Stupid. Make sense? A good password is only as good as the person using it. If passwords have to be changed too often, or have too many complexity rules, people are going to revert to the easiest way of remembering it, which is writing it down – more often than not on a sticky note attached to the machine it denotes access to. This is a worst-case scenario and will essentially undermine any protections but in place. Solution? Make it manageable for employees to access data with some realistic password complexities and expirations in place. You can read more about password policy best practises in the blog post Risky Business: Overcoming Onboarding Exposure (Explicitly, Perilous Passwords).
Question: What’s harder than remembering an 8-12-character password with two special characters, two higher case letters, two lower case letters and a number?
Answer: Remembering 18 of them.
Our research has shown that employees at executive level and above have an average of 18 accounts that require usernames and passwords. Without a universal set of credentials this can be very unmanageable and will resort to the pre-discussed ‘write it down’ method of tracking passwords.
Password Synchronization is an effective and cost-efficient way of creating a universal password for each user, that fits your organization’s policy. With a Password Synchronization Manager (PSM), when a user resets their Active Directory password, it ensures that connected applications receive the new password.
The traditional work environment has expanded in time, from a stationary desk in an office Monday to Friday, to a now semi-mobile workforce, who often work evenings and weekends. This means data may need to be accessed from anywhere at any time. Now, when a user forgets a password, IT may not always be available to reset it. Massive amounts of skilled IT resources are spent on menial and repetitive takas such as resetting passwords. It often leaves a user waiting a long time to regain access, making them unproductive all the while.
With a self-service password reset solution, users can securely reset their passwords at any time. Depending on the product, this can be done by answering challenge questions or completing additional factors of authentication. Allowing users to autonomously reset their own passwords results in a significant reduction in the number of password reset calls since users can reset their own password, freeing up helpdesks to focus on more important IT projects and allowing users to be 100% productive.
With the ever-growing sophistication of hackers, sometimes a password is just not enough. Depending on how sensitive the information you’re trying to protect is, you may need an additional layer of security, namely two-factor or multi-factor authentication. Two-Factor Authentication provides a second layer of security via SMS or e-mail PIN code, as an example. An even higher level of authentication (multi-factor) can be achieved with the following:
- Something that somebody knows: User name, Password, Pin code
- Something that somebody owns: Cell phone, Token
- Something that somebody is: biometrics such as fingerprints or facial recognition
Combining two or more of these methods during the authentication process will give that extra piece of mind in the protection of your data. Also depending on your industry, it may be necessary for meeting certain compliance regulations such as HIPAA, SOX, FERPA etc.
5. Helpdesk ID Verification
Even if you employ tools to minimize the number of calls to your support desk (such as Self-Service Reset Password Management), invariably, there will be some cases where calls do come in. When they do, it’s up to your staff to make sure they know who they’re talking to before providing any password reset options. In these cases, having Helpdesk ID Verification allows helpdesk staff to verify the identity of a caller by asking them a challenge question. Through an intelligent mechanism, combined with reversible encryption, the helpdesk employee can ask the end user to provide certain characters, for example, first and last letter of the answer. By keying in the response, the helpdesk staff can verify that the caller is who they claim to be and can move forward with the password reset process or other requests.
Finally, and perhaps most importantly, what good are these tools if your users don’t utilize them? To maximize the benefits of password management software, ensure there is some sort of auto-enrollment or on-boarding feature in place. With auto-enrollment, data is collected from an HR or SIS application and used to prepopulate answers in the password reset product's database, thus eliminating the need for employees to complete the enrollment process. On-boarding is similar however it utilizes a mechanism that gives a unique ID & One Time Password (OTP) to the end user based on personal info in the HR or SIS. It ensures the ability for a user to reset their password is set up before network access is granted. Some products can even put in place a wizard pop up for end users to fill in challenge questions and answers. You can ensure that it cannot be closed unless this info is completed; ensuring enrollment in the product.
We use the New Year as an excuse to shed that winter weight, spend less and save more, become an all-around better person, etc. Why not apply this to your organization? Let’s use the Q4 to create a 2018 password strategy and policy and start the new year with peace of mind. I hope this guide will help to evaluate your current password position and spot opportunities of how to strengthen it.