If you are an IT leader, particularly in a mid-sized or small organization, here are some mission-critical data security questions for you to consider.
- When was the last time you voluntarily submitted to having a security audit focusing on password use in your organization?
- Have you submitted to a third-party penetration test to assess, among other things, how vulnerable are the passwords currently in use in your organization?
- How would you rate your visibility into the relative password strengths used by company employees?
- Have you documented and enforced a formal password policy regarding items such as password complexity and expiration?
- Does your group lead formal password education seminars for all employees?
- Have you added additional factors to authenticate users?
If after reading these questions you are shuffling your feet beneath the desk when answering ‘no’ or ‘somewhat’ to these questions, the good news is you aren’t alone. The bad news is that there is a lot you should be doing but are not doing to combat a huge source of data leaks, data theft, and data compromise. In other words, you are turning a blind eye to potentially very costly issues, and blame for such will rightly be cast upon you.
Survey says: Weak passwords far too common
Consider the results of a recent major study that found nearly one in five enterprise users use very weak passwords, or share passwords, making their use ‘easily compromised’ according to survey authors. Businesses with higher than average percentages of compromised passwords also had a higher than average percentage of shared passwords.
Survey authors went a step further, investigating how much time it would take to compromise a password using widely available off-the-shelf cracking hardware/software. For low complexity passwords – those that are enforced only for overall length – most passwords could be compromised in less than one day. Medium complexity passwords – those enforced for length and some measure of complexity such as capitalization or using a digit as the last character – compromise took a week or less. And for high complexity passwords – which amp up the requirement for special characters along with capitalization – cracking could take upwards of a month.
These and other aspects of the survey findings, coupled with widely reported data of the use of compromised passwords to steal sensitive information, should be ample reason for users to adopt optimal password hygiene practices. But the data also shows they simply don’t, for convenience if nothing else. As one blogger and data scientist sees it, perhaps one percent of business users really cares or is aware that passwords are based often on patterns and these patterns can be tracked and broken in too many cases.
The torch is passed to IT leaders
Thus the onus is clearly upon IT leadership to plug this potentially yawning gap in data security. And there is plenty these leaders can and should be doing to pre-empt the pending disasters awaiting businesses that permit the use of weak passwords.
For starters, it almost goes without saying that consideration of a rock-solid password management solution is job 1. There are several available but no two are created equal. Look for a solution that allows your users to quickly and easily create super high-strength, random passwords without having to actually remember them, while giving administrators the ability to enforce password policies and monitor compliance with the policies you set.
What the better of these systems offer is visibility for IT into all passwords in use. After all, as one major password study found, nearly six in 10 SMBs have no visibility into employees’ password practices. What’s worse, in typical SMBs today, 60% of employees use the same password for everything – and they’re often not strong passwords either.
Next, the importance of ongoing education by IT leaders of all business users cannot be overstated. Education is a pathway to empowerment, and in this regard educating users about password hygiene can make each user better understand his or her important role in protecting data and the organization as well. You don’t necessarily need to conduct password-only education. Just be sure when hosting security training sessions online or live that password security is prominently featured.
By now it should almost be a requirement that multi-factor authentication becomes a business standard. The better password management solutions make it easy to deploy multi-factor authentication, the use of which can dramatically reduce the incidence of compromised passwords. Remember you don’t necessarily need to make things totally bullet-proof to keep hackers and cyber criminals away. Just make it hard enough for them to not want to spend extra time to break in.
We’ve written before that password management is more than an IT problem and it is, namely a problem for senior non-IT execs and for business users. But in the scheme of things, particularly in mid-sized and smaller organizations, IT leadership can and should be the biggest and most effective role to protect sensitive data by insuring bullet-proof passwords are the norm, not the exception.