As an IT Manager, one of your many (many) responsibilities is to establish and manage a robust and effective password policy for your organisation. Easier said than done of course. Especially in an environment where staff have a variety of accounts for various tools and platforms that your organisation makes use of - most of which contain customer data. We have had the same challenges ourselves and would like to share some insights and best practices to help you enhance your cybersecurity with a robust password policy.
It always starts with an Audit (you can only figure out where to go once you know where you currently are, right?). Being armed with this knowledge will allow you to craft a robust password policy whilst understanding where your staff are regarding their understanding of data security.
So, establish what the current password practices are within your organisation.
This includes:
Conducting a comprehensive password audit can help you identify areas that need improvement and lay the foundation for an effective password policy.
This is about determining exactly how complex a password should be as defined by your password policy.
These are the factors you should consider:
Here’s some more info about what it takes to create a strong password.
By establishing clear and enforceable password complexity requirements, you can significantly enhance the security of user accounts and reduce the risk of password-related breaches.
We recommend a regular interval of between 60 to 90 days (McAfee agrees). You should also implement mechanisms to enforce this practice where possible, like setting a password expiry on your systems that allow this. This time period should be a balance of security vs. being a burden on your employees.
You should also educate your staff on the importance of not reusing passwords across multiple accounts, and not using easily guessable patterns or incremental variations when creating new passwords.
This is about requiring users to provide more than one form of authentication or verification before granting access to an account or system. It adds an additional layer of security to user accounts and can prevent access even if a password is compromised. Here's a more detailed piece about how 2FA works.
Typically this is a configurable service offered by each individual platform. If it’s available - you should be using it.
2FA can include using biometric factors such as fingerprints or facial recognition, hardware tokens, or one-time passwords (OTPs) delivered via SMS or mobile apps.
It is crucial to invest in security education and training for your teams. This creates a strong security culture and helps to safeguard your sensitive information and systems.
We recommend that you host regular training sessions and/or awareness campaigns to educate your staff on the importance of:
We’ve even run quiz competitions with prizes after training sessions - these are always popular ;)
It’s not nice, but it’s essential. Once you’ve got a robust password policy in place, you need to implement mechanisms to monitor and enforce compliance with that policy.
You can:
Implementing robust password policies is critical for enhancing data security and protecting against cyber threats. By assessing current password practices, establishing password complexity requirements, enforcing regular password changes, implementing two-factor authentication, educating staff on password security, and monitoring and enforcing compliance, you can significantly strengthen your ability to protect your most valuable asset, data.
It’s important to note though that password security is an ongoing process, and regular review and updates to your password policies are essential to stay ahead of evolving threats. Read here for more tips on how to reduce business data risk & increase data security & compliance.