The initial article in this series dealt with systems used by your business and who should have what kind of access. In most cases, access is granted by the system administrator and conferred by a password. This makes password discipline an important component of your data security.
This discussion on password discipline does not mean your company won’t have a systems breach or that data will not be exposed. However, password security and protocol is a good first-line defense and hopefully you will find some best practices in this article you can incorporate in your business.
Is password security a big deal? Yes, it is. How passwords are created is a key to greater systems security. In a major systems hack in 2020, over 32 million passwords were compromised. Around 1% (320,000) of the passwords were “123456.” The next most commonly used password was “12345” followed by “11111”, “qwerty” and “abc123.”
In 2021 there were 1,862 data breaches, according to CNET. There were also 2,690 ransomware attacks. Both of these numbers represent double digit percentage increases from the previous year. They also represent only the attacks that were reported. It is not unusual for companies to not publicly report a hack or ransomware attack to lessen any panic or embarrassment.
When you or your employees create passwords, there should be a format so you don’t end up with the type of passwords shown above. Passwords should never use personal information such as the user’s name, age, birth date, pet’s name or anything else that might be found on-line.
Passwords should include a combination of letters, upper and lower case, numbers and characters. That may seem like common sense, but people don’t want to have to remember complex passwords or forget them if they don’t use them every day. Strong passwords can be easy to remember but hard to guess. A couple of examples; Iam:)2b29 (I am happy to be 29) and 2B-or-Not_2b (to be or not to be).
Another security protocol is passwords should not be reused. Users, in an attempt to remember passwords for multiple systems, will use the same password for each system, e-mail, social media, payroll, accounting, POS and more. Two recent breaches revealed a password reuse rate of 31% among victims. Reusing passwords is bad enough when someone outside your business is trying to get access to your data, but also presents a significant and often overlooked risk internally.
Passwords should not only be system specific, but individual specific too. Being able to see who logs into systems used by your business allows for audit if data goes missing or is compromised. Like so many other threats to your business, bad actors are not always external, so being able to track internal data access is important.
How often should passwords be changed? The thinking on that is evolving. It was originally recommended changing a password every three months. That recommendation made sense initially, but thinking has changed somewhat. A cyber security consultant at intrust IT told Business Insider, “Unless you become aware of a password breach, there is no need to change your passwords regularly if each is a strong, unique password” (emphasis mine). So should you regularly force password changes or not?
The emphasis above about a strong and unique password cannot be overstated. Let’s start with some best practices for strong passwords.
Never reveal your password to others. This may seem logical, but many times employees share a password in an attempt to simplify system use and in a misguided sense of efficiency. Employees may feel they have been denied access to some systems to which they should have access to do their job, or that management made a “wrong” decision. A way to do that is using a password from someone who does have access.
Use different passwords for different accounts/systems. This may also seem logical, but as noted above employees will move towards what is easier for them. Many times that manifests itself by using one password for all systems.
Length trumps complexity. The longer the password, the more difficult it is to crack. Is the extra digit a capital letter? Lower case letter? Number? Special character? A brute force attack against a 6-digit password would take around 22 hours, an 8-digit password 46 hours, and for a 10-digit password an average 2 years.
Complexity still counts. Use a combination of upper and lower case letters, numbers and characters. A gibberish (y_?\E4Dj) password is better than one actually made up of words. Note the sample here and the two examples given earlier.
The question remains, should you change your passwords regularly? The answer comes back to how strong and unique are the passwords being used. Obviously you can police your own passwords, establishing protocols for your employees, and inspection. This will insure they too will create strong passwords.
If you think one of your systems has been compromised, you should change your passwords immediately. When an employee leaves, you should change your passwords. While it may seem the parting was on good terms, things change. Just because you think an employee leaving was to go back to school, a better job or a relocation, doesn’t automatically make it so.
Something could change and that “friendly” parting might change, so why take the risk. The former employee may end up working at a competitor and decide getting a list of your customers, your inventory or profit margins would make them more valuable. Of course, something more sinister might happen, so protecting your data is always the best thing.
Earlier this article mentioned hacks and ransomware attacks. Both are targeted at your business data, but with slightly different purposes. If your systems get hacked, it may be to get a look at and/or copy some of your business data. Hackers could look at your customer credit card numbers, phone numbers, addresses and more. They could look at the financial information about your business like bank account numbers and personal information on your employees. This information may be sold and/or used to steal identities and cause significant problems for you, your customers and employees.
A ransomware attack also targets your business data. Instead of just looking at the business data, a ransomware attack will encrypt your data or make it unusable to you. The endgame is to get your business to pay a ransom for a key to unlock your data. Most ransoms are requested in a crypto-currency in return for an electronic key.
Either of these attacks should be reported to the authorities to allow tracking and hopefully keep this from happening to someone else. It also allows the opportunity to alert customers their information has been compromised and to quickly make changes and look for fraudulent charges.
As mentioned earlier, password security is a big deal. I’ve touched on two external threats but there are others both external and internal. In a future article, I’ll address those and how and where you can back-up your data to minimize those threats.
Thoughts? Contact Steve Bina: email@example.com.