How to Stop ‘Passwords on Post-its’ Syndrome

How IT departments can shore-up digital security:

Improve company-wide awareness on company policy

A telling statistic finds that 61% of people are unaware of their company’s password policy, or even if the company has one. Without clearly defined password usage guidelines, the importance of passwords can be overlooked, and employees can be left without incentive to take anything other than the path of least resistance – a simple password that is easy to remember and easy to work out.  

Workers are far more likely to embrace and develop a security conscience if a strong policy is supported by education on the need for it and how security works. Mike Hanley, Program Manager at Duo Security, advocates teaching “security hygiene” whereby basic, company-specific security observances are demonstrated and assimilated by staff in order to reduce the strain on IT resources.

With just 39% of surveyed staff saying that their business has a clear password policy, it is critical that organizations establish strong policies and communicate these in formal sessions to staff to ensure whole teams are on the same page. 

As the number of workers’ digital access points increases, the use of easy-to-remember passwords, together with the use of duplicate passwords across a number of accounts, is on the rise. This poses a huge threat to even the best security systems. Policy should focus on stamping out laziness by forcing staff to create complex passwords that are unique to one account.

Continuous IT training

Organizations’ online security will only ever be as good as the staff members who uphold it. As Cheryl Biswas, IT coordinator at JIG Technologies recommends; ongoing commitment to IT security will help it to become a high-profile and approachable subject.

Individual security topics should be broken up into training sessions. For example, a class could look at how to spot suspicious links, and potential threats can be analyzed using tools such as URLQuery.net.

Monthly newsletters can broadcast bite-sized articles or tips on IT security which complement the information of dedicated training sessions. These can then be compounded by periodic tests to evaluate and address user awareness if necessary. 

Companies need to get away from awareness on digital security being limited to shared links, to good practice guidance online; such a nonchalance will inspire the same casual attitude among staff members.

Enforced login behaviors

Better password practice among individual employees can be strengthened if IT teams improve the online environment, with enforced safeguards such as account lockout and throttling. Systems should be configured to allow users a finite number of attempts to enter their correct password before their account is locked out.

Blacklisting passwords can be an effective backup tool, while protective monitoring also serves as a strong defense against forced attack and can be a workable alternative to account lockout.

Mobile users

The proliferation of cloud technology, remote working and any number of mobile devices means mobility policy is now essential for organizations wanting to maximize their IT security. Around 55% of US-based firms now have such policy in place for BYOD (Bring Your Own Device) users, a trend that is only set to increase as employees engage more with smartphones, tablets and computers in the workplace.

Improved protection should be given to remote or BYOD users, such as a two factor authentication system. Unfortunately, security layers are considered a hindrance to productivity. IT departments should be aware of this and be vigilant in removing users’ ability to disable security features.

Consider setting up a system that will grant secure access to your organization’s network for remote workers. Technologies such as virtual private network (VPN) software encrypt remote workers’ data and can operate alongside tools that ensure remote computers are running with current security patches and correct configuration.

Recent improvements in VPN technology have allowed for higher levels of encryption and the technology is available on more hardware than ever before. Opting for an SSL VPN can allow users secure access without the need for installation of bulky client software. However, compatibility with legacy operating systems or hardware might be an issue so be aware of potential compatibility problems before committing to a solution.

Conclusion

Organizational cyber security is not solely down to password usage, but depends on every group within a company working in sync to embrace new techniques and mind-sets that support safety in the online domain.

With training and improved awareness, companies can begin to foster healthier and more educated attitudes towards security, in which all parties have a stake.

Further reading:

• Lattes, lunch, and VPNs: Securing Remote Workers the Right Way
• The Active Directory Feature Enabling Telecommuters to Work Hassle-Free
• VDI or RDS? How to Create a Virtual Desktop for Your Business