You have heard the saying that it takes a single bad apple to ruin the other fruit in the bunch? For companies of all sizes, this saying holds even more weight when it comes to secure passwords. When one person in your company has a password that becomes compromised, your entire network system and databases are left exposed to a wide range of threats and vulnerabilities. Employees’ user information becomes stolen in an attempt to exploit computer data. Data breaches steal customers’ personal information to commit identity theft. Some hackers will even go so far as to impersonate your business toward unsuspecting customers to commit fraud as your company has to perform damage control because of a ruined reputation and a loss of profits.
Beware of Employees Compromising Password Security Protocols
Yet outside threats aren’t the only issues you have to be prepared for when protecting your computer networks and data. Many vulnerabilities are created due to the actions of current and past employees. Current employees may try to access sensitive unauthorized information that they will use to their personal gain. Past employees can try to create backdoors into your computer system. These backdoors are additional accounts that are not deleted when the employee leaves the company. Instead, the accounts remain accessible to the person as they can gain entry into systems.
Password protection must become a priority to companies in order to limit system threats and data vulnerabilities. Minimize security risks with these tips to increase your company’s password protection methods.
1. Limit the Number of Allowed Password Attempts
Sometimes an employee can’t remember their password and will make several attempts to log into their computer before requesting a password reset. Yet hackers will exploit this setup by gaining access to a user’s email address and requesting a password reset. Then they will try to match the password to different user names in an attempt to get into the computer system. Limiting the number of password attempts, much like a bank ATM machine limits the number of allowed mistakes when typing in the PIN, offers added password security. It minimizes the chances that an unauthorized person will manipulate the computer systems by matching passwords to user names. It is also a sound best practice to limit the number of allowed password reset requests. Verify email addresses, cease multiple requests made to the same email address, and use other methods — such as SMS — to send out password resets.
2. Keep Different Passwords for Every Account
In this world where people are afraid of losing their privacy, it seems strange that employees use the same passwords for logins to company computer systems as they would for social media sites and personal webpages. Unfortunately, this is an unpleasant reality as people will only have one password for every online account. Encourage a separate password for access to company user accounts.
3. Institute Periodic Password Change Requirements
Would it be surprising to hear that a few of your employees are using the same password that they started out with when hired decades ago? It shouldn’t be, because once an employee has a password that they can easily remember, they hate to change it to something new that they will have to memorize all over again. Your company needs to implement password protection policies that focus on periodically changing the password at a set schedule.
4. Restrict Password Sharing
One of the biggest nightmares in computer security is to see employees have their passwords written down on sticky notes covering the sides of monitors, keyboards and the walls of cubicles for anyone to see. There is no reason in a corporate environment for employees to share their passwords with others so blatantly. Emphasize to employees the need to restrict writing down passwords. If an employee must share a password with another person for a short period of time, have the employee change the password once the other person no longer needs access into that user account.
5. Audit Systems for Extra Employee Accounts
Some employees like to create backdoor access to computer systems by creating multiple user accounts. They may have created these excess accounts to perform certain functions for the company. If a disgruntled employee leaves, they can use these access points for unauthorized entry into network systems to perform a range of illegal activity. Check all computers while auditing network systems as you delete these multiple accounts.
6. Adopt Privileged Information Management
Privileged information management, or PIM, allows you to have greater oversight of user accounts that have higher access authority to computer network and data systems beyond the standard employee access. These superuser accounts require extra security measures to monitor who is authorized to use them. This tactic prevents the abuse of computer systems and the possible theft of data. By implementing a PIM, you can increase your monitoring of these accounts and follow the appropriate policies to prevent any misuse of password access.
7. Seek Out Password Management Tools
Password management tools provide a wide range of services to increase password security throughout the company. These applications can allow employees to store passwords securely without writing them out, can help generate strong passwords, will fill in login fields, or share login credentials with certain workers without allowing them to view the password information if they need one-time access.
Protecting your company passwords should be a best practice included in the security policies of your company. If you are worried about security gaps in your network systems or that present internal controls do not match management objectives toward preventing data breaches and vulnerabilities, contact I.S. Partners, LLC at 215-675-1400 or email [email protected]. As internal audit providers, we can perform gap analysis and attestation reports that will help your company improve security and risk management throughout your operations.