IT Security Basics - Passwords

When was the last time you talked about IT security basics with your employees? The conversation about IT security should always include reminders about the importance of unique and strong passwords. IT security best practices implemented by your managed IT service provider are a strong line of defense against potential cybercrime, but it doesn’t matter how fortified the castle is if someone lets opens the door and lets intruders walk right in.

What Hackers Want

People who are trying to gain access to your business accounts, information and network intend to steal, do damage or both. They seek to collect confidential information, compromise the integrity of your systems and data, or control access to your network and accounts to serve their illegitimate purposes. Attacks from outside your organization aren’t the only ones to consider. Unauthorized access to information and accounts by employees can unfortunately be fueled by similar motivations and have similar results.

How Cyber Intruders Gain Access

Social engineering is a popular buzzword in IT security but it’s just a different way of saying that a con job is in action. One form of social engineering is phishing, a common form of manipulation that plays on people’s trust. Emails appear to be coming from people in authority or familiar organizations and guide the victim to fake web pages where they are asked to input their credentials. Other phishing methods install malicious software when the recipient opens an attachment or clicks on a link in an email. Some types of malware record actions that are taken on the computer and sends the information back to the intruder. Brute force attacks are automated attempts to login with a series of possible usernames and passwords.

Social Engineering by Phone

Your IT security best practices should include guidelines for how employees should respond when someone asks for their network or login credentials over the phone. The caller may impersonate the company CEO or other person in authority, or claim to be from a technology company like Microsoft, or your own IT support company. Hackers have even been known to give instructions to people who unknowingly compromised their data and systems by helping them open the door.

Internal Threats to Your Network and Data

Unauthorized access to sensitive corporate data from inside your company can occur when employees have inappropriate permissions for their job role, or abandoned accounts are not fully secured. Terminated employees may also still be able to get to company accounts if their accounts are not disabled or passwords changed. The practice of having passwords on a sticky note is like putting your keys out in the open so that anyone can come and unlock your door.

Nine Tips to Strengthen Password Security

Here are some password guidelines to follow that will help keep the doors locked to intruders:

1. Change passwords at least every three months for non-administrative users and 45 - 60 days for admin accounts.
2. Use different passwords for each login credential.
3. Aboid generic accounts and shared passwords.
4. Conduct audits periodically to identify weak/duplicate passwords and change as necessary.
5. Pick challenging passwords that include a combination of letters (upper and lower case), numbers and special characters (ie. <$>, <%> and <&>).
6. Avoid personal information such as birth dates, pet names and sports.
7. Use passwords or passphrases of 12+ characters.
8. Use a password manager program where users need just one master password.
9. Don't use a browser's auto-fill function for passwords.