5 Password Tips for SMB Data Breach Prevention
A recent survey conducted by the Ponemon Institute of nearly 600 IT staff from businesses with fewer than 1,000 employees found that more than 50 percent have suffered a cyber attack within the past 12 months. The report, “The 2016 State of SMB Cybersecurity,” can be downloaded here.
The fact that only 14 percent of the companies surveyed rated their cyber defenses as highly effective sheds light on the specific challenges small and medium-sized (SMB) businesses face. With limited budgets and lack of IT staff that are devoted to cybersecurity issues, the task of keeping your business safe in an ever increasing digital world is daunting.
Creating a strong cybersecurity posture involves three prongs: prevention, detection and remediation. Considering that 63 percent of businesses are breached due to weak, default or stolen passwords, a cost-effective and quick-fix solution is prevention via password management.
Passwords are a headache for both employees and administrators who devote valuable time solving password issues. Since passwords don’t seem to be going away anytime soon, companies can follow proven best practices regarding password policies and management to mitigate risk and improve employee satisfaction.
Tip #1: Get a Second Opinion.
One way to determine your company’s password policy would be to run a third-party risk assessment. The assessment will inform your decisions regarding stronger password policies for higher-risk employees, groups or applications. For instance, using the same password policies for the security team that you use for partners and contractors is a bad idea because you know less about these “non-employees” than you do about your own employees.
Contractors frequently connect their own devices to the network. This increases the risk of malware or malicious code injection into the corporate network. For this reason apply stronger password policies for non-employees and administrators.
Tip #2: What Works for Consumers Works for Employees.
To improve the employee experience with passwords try using consumer-oriented tools, such as a password strength meter, to tell employees the relative strength of their chosen password. Another idea is to add a knowledge-based question to leverage employee-specific data in order to add a layer of identity verification. For instance, this can include the employee’s hire date, badge number or manager’s name. Making this information available to help desk support staff can greatly assist in enhancing the verification process for resetting passwords.
Tip #3: Help Your Help Desk.
On average, users will contact help desks about 28 times a year. According to Forrester’s“Q2 2015 Global Password Usage and Trends Online Survey,” the average password reset in which a user contacts the help desk could cost your firm $179 per user per year. That means a company with 1,000 employees could spend upward of $179,000 annually for password resets alone.
Identity and Access Management (IAM) tools can dramatically reduce help desk support costs. By automating the password management process employee productivity can be improved and operational costs reduced. These process tools can also enforce compliance, prevent former employees from walking away with sensitive data, and facilitate with regulations and changing policies.
Tip #4: Keep Passwords Salty.
Storing passwords in an unencrypted manner is dangerous. Furthermore, encrypting passwords with a standard cryptographic algorithm such as MD5 or SHA-1 is no longer sufficient. Therefore, use salting to create a unique encryption value for all passwords.
Salting is the process by which encryption creates a unique value or “salt value” that is then used to hash the password. With this model, employees with the same password will generate different hash outputs, making it much more difficult and complex to crack them.
Tip #5: Security is Everyone's Responsibility.
Password management is everybody’s business. From the CEO and stakeholders to the janitor, SMBs can no longer put all of the responsibility of cybersecurity upon the IT staff.
Small businesses could face losses of an average of $879,582 per incident due to damage or theft of IT assets., and disruption to normal operations cost an average of $955,429. This can significantly cripple a business and should be a wake-up call to take password management seriously and to be proactive when it comes to defending yourself.