As an IT Manager, one of your many (many) responsibilities is to establish and manage a robust and effective password policy for your organisation. Easier said than done of course. Especially in an environment where staff have a variety of accounts for various tools and platforms that your organisation makes use of - most of which contain customer data. We have had the same challenges ourselves and would like to share some insights and best practices to help you enhance your cybersecurity with a robust password policy. 

1. Assess Current Password Practices

It always starts with an Audit (you can only figure out where to go once you know where you currently are, right?). Being armed with this knowledge will allow you to craft a robust password policy whilst understanding where your staff are regarding their understanding of data security.

So, establish what the current password practices are within your organisation. 

This includes:

• Evaluating the strength of existing passwords
• Identifying any password-related vulnerabilities
• Understanding the level of awareness and compliance among staff members

Conducting a comprehensive password audit can help you identify areas that need improvement and lay the foundation for an effective password policy.

2. Define Your Password Complexity Requirements

This is about determining exactly how complex a password should be as defined by your password policy. 

These are the factors you should consider:

• Minimum password length
• Requiring a mix of uppercase and lowercase letters
• Using numbers and special characters, and
• Prohibiting the use of common or easily guessable passwords. 

Here’s some more info about what it takes to create a strong password. 

By establishing clear and enforceable password complexity requirements, you can significantly enhance the security of user accounts and reduce the risk of password-related breaches.

3. Enforcing Regular (but not too often) Password Changes

Even if someone does manage to get their digital fingers on your password(s) - you’re providing an additional layer of security by enforcing regular password changes. 

We recommend a regular interval of between 60 to 90 days (McAfee agrees). You should also implement mechanisms to enforce this practice where possible, like setting a password expiry on your systems that allow this. This time period should be a balance of security vs. being a burden on your employees. 

You should also educate your staff on the importance of not reusing passwords across multiple accounts, and not using easily guessable patterns or incremental variations when creating new passwords.

4. Two-Factor Authentication (2FA)

This is about requiring users to provide more than one form of authentication or verification before granting access to an account or system. It adds an additional layer of security to user accounts and can prevent access even if a password is  compromised. Here's a more detailed piece about how 2FA works. 

Typically this is a configurable service offered by each individual platform. If it’s available - you should be using it. 

2FA can include using biometric factors such as fingerprints or facial recognition, hardware tokens, or one-time passwords (OTPs) delivered via SMS or mobile apps.

5. Educating Staff on Password Security

It is crucial to invest in security education and training for your teams. This creates a strong security culture and helps to safeguard your sensitive information and systems. 

We recommend that you host regular training sessions and/or awareness campaigns to educate your staff on the importance of:

• Strong passwords and the risks of password-related breaches
• How to recognise a potential security threat
• How to report a potential security threat’

We’ve even run quiz competitions with prizes after training sessions - these are always popular ;)

6. Monitoring and Enforcement

It’s not nice, but it’s essential. Once you’ve got a robust password policy in place, you need to implement mechanisms to monitor and enforce compliance with that policy. 

You can:

• Regularly audit user accounts to identify weak or compromised passwords
• Establish consequences for non-compliance with password policies
• Regularly review and update your password policies based on the changing threat landscape and technology advancements

Implementing robust password policies is critical for enhancing data security and protecting against cyber threats. By assessing current password practices, establishing password complexity requirements, enforcing regular password changes, implementing two-factor authentication, educating staff on password security, and monitoring and enforcing compliance, you can significantly strengthen your ability to protect your most valuable asset, data. 

It’s important to note though that password security is an ongoing process, and regular review and updates to your password policies are essential to stay ahead of evolving threats. Read here for more tips on how to reduce business data risk & increase data security & compliance.