email security - Why password management policies fail for businesses (part 3 of a 3-part series)

It seems like we hear about major corporate breaches every day.  Whether it’s Equifax, Target, Starwood Hotels, Wendy’s, the IRS or the U.S. Department of Justice.  Breaches are more prevalent and most experts don’t expect them to slow down.  IT departments everywhere continue to shore up their defenses.  Unfortunately, in many instances, it is actually legitimate user credentials that are used to instigate the breach.  According to a Verizon Data Breach Investigations Report, some 63% of 2016 breaches were the result of weak, default or stolen passwords.

So why is it that so many password management policies fail?

There are a number of reasons, many of which can be fixed, but it requires vigilance and targeted efforts by management to make it happen.  Some of the main reasons for failure are:

  1. Weak passwords less than 6 characters: A 4-digit password has 10,000 combinations.  A 10-digit case sensitive password including numbers has 839,299,365,868,340,000 combinations.  That’s 839 quadrillion combinations which is a significant difference when it comes to brute force attacks against a password.
  2. Passwords reuse: 52% of workers reuse or only slightly modify passwords. 38% reuse the same password across multiple systems.
  3. Too many passwords to manage: Today’s workers manage a number of different passwords to access both internal and external 3rd party systems, and the number continues to increase. Often times, the different systems have different password requirements and are scheduled to change on different intervals. This leaves the users with a difficult task of managing their passwords without writing them down on a sticky note under the keyboard, a definite no-no.
  4. Overly complicated password policies: Companies in their effort to improve security, often over shoot the target and make their password policies overly complicated or require changes far too often.
  5. IT fails to formalize password rules into written policy: The task of managing password policies and combating today’s cyber threats can often leave IT departments so focused on their daily task that they fail to follow up with written policies, management acceptance and clear communication to the end users.
  6. Poor process for on-boarding and off-boarding contract, part-time or terminated workers: Whether your company uses part-time or contract workers or not, every company has employees that leave. Having solid procedures for on-boarding and off-boarding employees is extremely important.  Revoking access to the business and systems of the company in a timely fashion is critical.  It doesn’t take long for a disgruntled former employee to cause a lot of problems for your business.

How do you combat the issues?

Implementing strong and consistent password policies that don’t over burden your employees is a great place to start.  Adding two-factor authentication means passwords don’t have to change as often which minimizes some of the issues above.  Developing a consistent on-boarding and off-boarding procedure to ensure you take the steps necessary when employees leave. Lastly, adding Dark Web monitoring for compromised credentials to your cyber security plan, can ensure that compromised employee or customer credentials are dealt with in a timely manner to minimize risk to your business.

To learn how to improve your password policies and protect your business credentials look to  IT professionals that understand cyber security and have the tools and know-how to help keep your business secure.