Have you ever met a doctor who isn’t the picture of perfect health? Maybe they don’t exercise, eat extremely greasy food, or smoke a pack a day.
Your first instinct might be to avoid the physician altogether; however, you shouldn’t immediately make this decision. They’re still experts in their field, and could help you with your health. They’re simply subject to the same human flaws as anyone else. People make poor decisions all the time, even when they know better.
This might explain some surprising stats about security professionals, like how 45% of security professionals are guilty of password re-use. Even experts with multiple certifications still develop bad habits.
While an unhealthy doctor risks only their own health, the poor habits of a service provider can lead to compromises for multiple clients (and potentially dozens or hundreds of employees). Beyond the devastating consequences of a breach to the customer, the service provider could end up losing business or even shuttering their doors.
Nowhere is this more important than password management. If someone gets access to your customers’ passwords, it’s pretty much open season. Today, we’ll give some tips on keeping your own password house in order.
1. Don’t pick an easy-to-guess password
Your employees are busy. They have too much to remember on a given day, and developing a new, strong password for each account just adds to their mental load. Odds are good at least one of your employees has an easy-to-guess password. Train your employees on password strength. Teach them to avoid anything that shows up on commonly used password lists, like “iloveyou,” and to stop using keyboard patterns such as “qwerty” or “123456.” They should also avoid using simple words, as these can be vulnerable to a dictionary attack. Encourage them to use passphrases with numbers and symbols included in random spots like “IreallyEnj4oyB6asket#Ball”. This makes them easier to remember, yet harder to guess. Plus, they’re longer, making them more challenging to crack. Cover this in regular security trainings, but consider also providing handouts your employees can keep at their desk.
2. Don’t re-use passwords
We already quoted the statistic that 45% of security professionals re-use passwords. People simply have too many passwords to remember on a given basis, so it’s common to re-use passwords across accounts. Unfortunately, if a criminal can crack a password to one account, they’ll keep trying until they find another account using the same password.
This can be particularly troubling when user credentials are leaked in a major data breach, like the Collection 1 leak. If one of your employees has an account exposed in that breach, and odds are you have at least one, you better hope they haven’t re-used those passwords on work accounts.
3. Revoke access when needed
Sometimes, an employee simply doesn’t work out, and you must let them go.
After being let go, the employee may feel angry, hurt, and maybe confused or scared. This can lead to employees doing rash, out-of-character things, like trying to get revenge on their employer. They may steal intellectual property or customer data and sell it on the dark web as a “severance package.”
When employees leave, shut down their accounts immediately. If they can still log in after leaving, you’re open to a potential breach. Do this regardless of the reason—even people leaving on good terms could still help themselves to sensitive data. Just avoid the risk altogether by consistently removing employee access from your systems when they leave.
Pro tip: Don’t forget to delete any two-factor authentication (2FA) info. Ex-employees may try to reset their passwords using a personal email or their phone number.
4. Make it easier with a password manager
Managing user credentials and access to customer accounts for your organization can be challenging without the right tools. Teaching password best practices alone won’t help if employees get too tired (or lazy) to follow the rules. Revoking access when employees leave can be time-consuming when done manually.
A good password manager can dramatically reduce your risk. For example, SolarWinds® Passportal + Documentation Manager helps your employees create strong passwords without needing to be world-class memory champions (or rely on post-its). It’s designed to make it easy for admins to grant or revoke access, whether you need to grant temporary access to a technician for one task or you need to remove someone completely after they leave.
Learn more by requesting a demo here.
Guest blog courtesy of SolarWinds MSP. Read more SolarWinds MSP blogs here.
