Wednesday, August 12, 2015

Are Weak Passwords Putting your Business at Risk?

Let’s face it, everybody hates passwords. They are a pain and a nuisance, but in today’s connected world, they are clearly necessary. Passwords are multiplying and are not going away any time soon. Most companies have no real password requirement. Everyone has a password but the clarity on what needs to be done and what is appropriate and/or what’s not appropriate is not distributed to the company.

You need to take this seriously, securing your information is important.

Log-in box on computer screen of admin“But Marge does not have anything really sensitive on her computer so we just leave her alone.” – Anonymous Owner

There is often a feeling that certain people need less security, because their work does not deal with sensitive information. Please understand leaving one person’s password unsecured is like leaving a door unlocked to your palace. You cannot make this assumption without paying high penalties.

All passwords need to be secure and updated. Often breaches start by entering a smaller target to gain access to the real target. We see hacks that use smaller companies who service larger organizations targeted because they tend to be very lacking in basic security.

So what is a secure or strong password?

It may sound cliché, but your password has to be strong or there is no point in it. There are plenty of articles and viewpoints out there about how complex passwords must be, but you should always have a minimum of at least eight characters. It should not be a dictionary word (in English or any other language). It should include both uppercase and lowercase letters and a special character or two. A passphrase is a great approach as well, as long as it is not common. Passwords like 123123, letmein, birthdays, sports, names, even password1 are no good. It is like having a key with no ridges.

NOTE: Stop writing your latest password on sticky notes and “hiding” them under your desk. That is a security 101 no-no. Store it somewhere safe, out of everyone’s hands.

The top passwords for this year:

1. 123456
2. password
3. 12345
4. 12345678
5. qwerty
6. 123456789
7. 1234
8. baseball
9. dragon
10. football
11. 1234567
12. monkey
13. letmein
14. abc123
15. 111111
17. access
18. shadow
19. master
20. michael
21. superman
22. 696969
23. 123123
24. batman
25. trustno1

Apparently lots of people enjoy playing baseball with a dragon and driving a superman mustang. Personally, we prefer the bat mobile.

Put your password to the test at this “How Secure Is My Password” website.

Your password policy: 

Create – Implement – Enforce
Your WRITTEN policy needs to define secure and unsecured passwords, sharing rules, frequency of changing and reiterate the importance of them. All those that complain may not be fully educated on the impact that a breach would have on everyone, not just the company. Please explain to your staff clearly why it is a requirement of being employed. Lastly, your employees need to acknowledge they understand it and are responsible to abide by it. They need to also be accountable.

The skeleton of your policy should include:
  1. Minimum password length
  2. Password composition:
    • Character requirements and allowances as well as capitals, lowercase, numbers, special characters or items such as your name and the company name are not allowed.
  3. Password age limitation:
    • The frequency of change required.
  4. Password storage:
    • Passwords are not to be written down, they must be memorized or kept in a password manager.
  5. Reuse of passwords:
    • Do not use the same password at work that you use in any other account.
  6. Sharing and transferring:
    • Passwords are not allowed to be shared without proper authorization.
    • If it is shared, establish what criteria is needed to share.
  7. Electronic transmission:
    • No transmission over insecure networks or communication.
  8. Requirements for System Administrators:
    • Both their permission level and power to control others as well as a clear understanding of how are they held accountable
  9. Enforcement:
    • Roles, responsibilities, consequences and sanctions
  10. Exemptions:
    • Policy and forms for any exceptions

Now let’s be reasonable, you are not Fort Knox, but perspective still matters. If you have anything of value on those systems that you wouldn’t want distributed to everyone: your employees, competitors, vendors, partners, investors, ex-spouse, etc. then you need to protect it. Like your key to the lock on the front building that’s there for a reason.

But really, who is out to get me? I am just a small business owner.

Maybe you are the kindest person with no secrets willing to give away all your information. Even so, you may not realize largest offenders are most often internal or external IT people [who have the largest amount of access to your network]. They have access to your servers, workstations, applications and firewall. Make sure you have a process to verify their compliance as well. Also, be certain that many times these mistakes are simply that, mistakes. If one person unknowingly provides their password to an outsider who has any malicious intent, your biggest asset, and your information could be swiped from you in minutes. In this case you can be yourself, be trusting on other levels, but don’t be naive with your information.

Avoid Reaction, Take Action.
  1. Create a written password policy. It should be part of your computer usage policy. Make sure all employees are familiar with it and agree to abide by it.
  2. Help them understand why it is important. Listen to the groans, appreciate their issues and then insist they do it.
  3. Help them understand what appropriate and inappropriate passwords are.
    • While you are at it, help them understand that their families and personal information needs to be safeguarded as well. They need to keep their interested protected as well. Make it a service announcement for them. Identity theft is booming. Keeping yourself safe is very important.
  4. Make sure your IT support puts the policy in place that requires policy to be followed. Often they will not like this because they will have to spend more time “resetting passwords”. A small price to pay for security.
  5. Make sure your IT people are following the same procedure. We have seen often they circumvent it, because they have the authority.

For more information you can trust, visit us at, like us on Facebook, or follow us on Twitter and LinkedIn. Become an Accredited Business and get the resources you need to give you confidence and help keep your business safe and secure. 

Written by Dan Adams, CEO of BBB Accredited Business, New England Network Solutions (NENS).  

Dan is a serial entrepreneur who ran his first retail operation in high school. He founded NENS in 1993 and over the years, owned and managed several start-up companies. Dan is passionate about sharing his success strategies with fellow entrepreneurs.

No comments:

Post a Comment

Submission Rules