04:29 PM

9 Password Security Policies For SMBs

Does your company have strong password practices? Here's expert advice on how to help SMB employees minimize risks.

10 Important Cloud Apps For SMBs
10 Important Cloud Apps For SMBs
(click image for larger view and for slideshow)
A state-of-the-art security system won't much matter if a hacker gets a hold of an employee's password. That's much more likely to happen if you take a laissez-faire approach--or none at all--to creating and protecting passwords.

Small and midsize businesses (SMBs) that struggle with information security because of resource constraints have particular reason to pay attention: Smart password practices require next to no budget. They don't need to take up much time, either, especially once your policies and procedures are in place.

"Password policy is something that's often overlooked, but it's an important part of keeping secure in an online world," said Morgan Slain, CEO of SplashData, in an interview. "It's something that SMBs can implement pretty easily."

Here are nine steps toward safer, stronger passwords--and toward keeping them that way--both in the real and mobile office.

Refresh the Fundamentals

1. Use complex passwords. Whether you've been flying by the seat of your pants or are a full-fledged security wonk, go back to the basics. "Those are things that everyone tends to slack on," Slain said, because ignoring the obvious steps is easy to do.

[ Some lessons are learned the hard way. Read Zappos Breach: 8 Lessons Learned. ]

The first of those steps: Use complex passwords. That means a case-sensitive combination of letters, numbers, and special characters--at least eight in total. Because "complex" can sometimes mean "easy to forget," Slain suggests using memorable phrases broken up by spaces, special characters, and/or numbers. "Those can create pretty robust passwords that are a lot easier to remember," Slain said.

2. Don't reuse passwords. This one's a must, yet it remains a common danger. Employees that use the same password across multiple systems--often both professional and personal--to keep things simple can turn a minor, isolated issue into a major security breach. Slain points to the recent Zappos case that exposed external customer passwords as an example.

Unique passwords help stop the bleeding much faster if a password is leaked or stolen--otherwise access to a Twitter account can suddenly turn into bank accounts, health information, customer databases, and other sensitive areas. The bare minimum practice, Slain said, should be to not re-use credentials for sensitive applications such as financial information across less sensitive--and often less secure--areas such as a blog publishing tool.

3. Change passwords regularly. It's the last piece of the holy trinity: Change your virtual locks regularly to further minimize risks. Slain recommends updating credentials at least every 60 days; better yet, do it every 30.

Go Beyond Basics

4. Double-down on email accounts. Slain thinks too many SMBs get lazy with their email passwords, leading to larger-scale problems "Those are the holy grail for thieves," he said, particularly for online applications that use the ubiquitous "Forgot Password" feature. When a hacker gains control of employee email credentials, it can turn into an all-you-can-eat data buffet--particular if that those credentials were re-used across other systems. Email breaches can also lead to increased spear phishing and social engineering risks. Treat email with a similar level of caution as bank and other high-risk accounts.

5. Restrict application settings. Particularly for online and mobile applications, it's a good idea to modify security and privacy settings to the most locked-down options. Be leery of new applications and consider using a secondary email address outside of the corporate system when testing or signing up for new online tools.

6. Consider a password wallet. One password pitfall common inside SMB offices is found in password sharing among workgroups and team members. This can lead to weak security habits, both of the analog (Post-it Notes on the monitor, yelling passwords over the cubicle wall) and digital variety (passwords shared via email, IM, and related means). A password manager or wallet application built specifically for teams can automate and secure credentials for systems that require multi-party access. "That way it's easy to organize all of your different corporate passwords, keep them changed, and make sure everyone knows what those changes are," Slain said.

Manage the Mobile Morass

7. Use a device-lock app. The mobile era has compounded the potential security threats inherent in password breaches. A lost or stolen device, for starters, can become a nightmare for the unprepared SMB. Begin by requiring--or at least strongly encouraging--staff to use a device-lock feature or app. Set it to time out automatically at one minute or less of inactivity.

8. Don't jailbreak or root phones. This one's likely to be a particular concern for SMBs that encourage employees to bring their own device to work. Users that jailbreak their iPhone or root their Android device could be bringing increased security risks onto the corporate network. Consider a policy restriction that bans such devices for company use.

9. Fully exit apps. Slain recommends users sign out and exit business apps when not in use rather than leaving them running in the background. That's a step that sounds easy but sometimes involves more than just closing it, depending on the phone and its operating system. iPhone users, Slain points out, must double-click the bottom button, find the app in a list, tap its icon, and then tap the minus sign that appears.

The right forensic tools in the right hands are just a start. The new Digital Detectives issue of Dark Reading shows you how to better apply the lessons they teach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/29/2012 | 4:59:30 AM
re: 9 Password Security Policies For SMBs
You were on the right track until half way through #6, and then you blew it. Never allow shared passwords: ever. allowing employees to share passwords on inconsequential systems sets a precedent in their minds that it is OK on any sustem. There is no security if there is no individual accountability, and there can be no individual accountability if individuals are not uniquely authenticated. HIPAA is one law in particular that explicitly requires individual authentication, and failure to achieve it carries civil and criminal penalties.
User Rank: Ninja
1/24/2012 | 4:22:36 AM
re: 9 Password Security Policies For SMBs
Not re-using passwords is an important one, but one that few seem to follow. On the other hand, not all things protected by a password are so important that you have to have a complex, unique password guarding it. A password the user can't remember is useless.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.