Managing passwords across our digital lives is a tedious but necessary task. It can be a daunting one for a business with no clear cybersecurity policy in place. A robust policy limits the vectors of attack for your business and your clients and ensures you can take swift action to remedy the issue if there’s a breach. Here are a few recommendations we have for better password security.
Use a password manager
One of the best ways to manage your company’s digital life is with a password manager. Our password manager of choice is 1password, which gives us the right amount of controls and features.
If you’ve never used a password manager before, the idea is that you sign into your account using your email and a strong master password. Inside your account, you can keep track of all the logins to websites and services you need, as well as other sensitive information. While accessing your complete digital life with a single login may sound dangerous, password managers protect your data in several ways.
All data is encrypted at rest, so if your password manager of choice was ever breached, the data in your account would be useless without your credentials. In the case of 1password, they have an additional 34-character security key that you need if you sign in on any new device, which adds another layer to that encryption, making it unbreakable using today’s computing power.
Most of these services allow you to control the minimum length of the master password, enforce two-factor authentication to log in to the service, and provide detailed activity logs, giving businesses valuable insight into who has access to information.
The biggest benefit to using a password manager is the ability to generate long, complex, randomized passwords for all your logins. Having unique passwords for every login is the most important step you can take to protect yourself.
Have an access policy
Using a password manager is a great first step, but if a well-thought-out access control policy is not in place, you can still leave your company vulnerable when a breach occurs.
The best policy is to limit access to only those who need access to do their job. Only the people that need access to a website or service have it, but no one else does, no matter their position in the company. This policy has little to do with trust and is more about limiting opportunities for a breach. If you’re a company of 100 and all 100 employees have access to credentials for a service, all it takes is 1 of your employees to get hacked for there to be a problem. If only 5 of those 100 employees need access and are the only ones with it, you have reduced your vector of attack by 95% for that service.
Use multi-factor authentication
These days, most websites and services offer, and some even require multi-factor authentication. Your company policy should enforce using it when available, as it adds another layer of protection to your logins.
If offered, the preferred method is using an Authenticator application such as Google Authenticator, Authy, or even your password manager’s built-in OTP (one-time password) feature. OTP generates a unique code every 30 seconds that must be confirmed for you to log in to a service protected by it.
The most common methods are codes via SMS or email. While these methods are better than not enabling MFA, they both are vulnerable to other hacking methods. If someone were to gain access to your email, they would receive all MFA codes.
SMS is vulnerable to a common attack called SIM swapping. In this social engineering method, a bad actor calls your phone company pretending to be you and convinces the rep to port your number over to their SIM, thereby having access to your phone number.
Conduct regular audits
Password security is not a set-it-and-forget activity for a business. Designating someone, or a team, as the security and compliance officer within the company adds an extra layer to ensure your internal controls are being followed.
Setting aside time to review audit logs and revoking access to systems as employees change roles or leave are all operations that should be part of your internal controls. As part of the onboarding or offboarding process, setting aside a small amount of time to make these audits will further protect your business and clients.
These are some small steps your business can take to improve security and a small sample of the principles we follow here at Kirschbaum.