Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/23/2012
04:29 PM
50%
50%

9 Password Security Policies For SMBs

Does your company have strong password practices? Here's expert advice on how to help SMB employees minimize risks.

10 Important Cloud Apps For SMBs
10 Important Cloud Apps For SMBs
(click image for larger view and for slideshow)
A state-of-the-art security system won't much matter if a hacker gets a hold of an employee's password. That's much more likely to happen if you take a laissez-faire approach--or none at all--to creating and protecting passwords.

Small and midsize businesses (SMBs) that struggle with information security because of resource constraints have particular reason to pay attention: Smart password practices require next to no budget. They don't need to take up much time, either, especially once your policies and procedures are in place.

"Password policy is something that's often overlooked, but it's an important part of keeping secure in an online world," said Morgan Slain, CEO of SplashData, in an interview. "It's something that SMBs can implement pretty easily."

Here are nine steps toward safer, stronger passwords--and toward keeping them that way--both in the real and mobile office.

Refresh the Fundamentals

1. Use complex passwords. Whether you've been flying by the seat of your pants or are a full-fledged security wonk, go back to the basics. "Those are things that everyone tends to slack on," Slain said, because ignoring the obvious steps is easy to do.

[ Some lessons are learned the hard way. Read Zappos Breach: 8 Lessons Learned. ]

The first of those steps: Use complex passwords. That means a case-sensitive combination of letters, numbers, and special characters--at least eight in total. Because "complex" can sometimes mean "easy to forget," Slain suggests using memorable phrases broken up by spaces, special characters, and/or numbers. "Those can create pretty robust passwords that are a lot easier to remember," Slain said.

2. Don't reuse passwords. This one's a must, yet it remains a common danger. Employees that use the same password across multiple systems--often both professional and personal--to keep things simple can turn a minor, isolated issue into a major security breach. Slain points to the recent Zappos case that exposed external customer passwords as an example.

Unique passwords help stop the bleeding much faster if a password is leaked or stolen--otherwise access to a Twitter account can suddenly turn into bank accounts, health information, customer databases, and other sensitive areas. The bare minimum practice, Slain said, should be to not re-use credentials for sensitive applications such as financial information across less sensitive--and often less secure--areas such as a blog publishing tool.

3. Change passwords regularly. It's the last piece of the holy trinity: Change your virtual locks regularly to further minimize risks. Slain recommends updating credentials at least every 60 days; better yet, do it every 30.

Go Beyond Basics

4. Double-down on email accounts. Slain thinks too many SMBs get lazy with their email passwords, leading to larger-scale problems "Those are the holy grail for thieves," he said, particularly for online applications that use the ubiquitous "Forgot Password" feature. When a hacker gains control of employee email credentials, it can turn into an all-you-can-eat data buffet--particular if that those credentials were re-used across other systems. Email breaches can also lead to increased spear phishing and social engineering risks. Treat email with a similar level of caution as bank and other high-risk accounts.

5. Restrict application settings. Particularly for online and mobile applications, it's a good idea to modify security and privacy settings to the most locked-down options. Be leery of new applications and consider using a secondary email address outside of the corporate system when testing or signing up for new online tools.

6. Consider a password wallet. One password pitfall common inside SMB offices is found in password sharing among workgroups and team members. This can lead to weak security habits, both of the analog (Post-it Notes on the monitor, yelling passwords over the cubicle wall) and digital variety (passwords shared via email, IM, and related means). A password manager or wallet application built specifically for teams can automate and secure credentials for systems that require multi-party access. "That way it's easy to organize all of your different corporate passwords, keep them changed, and make sure everyone knows what those changes are," Slain said.

Manage the Mobile Morass

7. Use a device-lock app. The mobile era has compounded the potential security threats inherent in password breaches. A lost or stolen device, for starters, can become a nightmare for the unprepared SMB. Begin by requiring--or at least strongly encouraging--staff to use a device-lock feature or app. Set it to time out automatically at one minute or less of inactivity.

8. Don't jailbreak or root phones. This one's likely to be a particular concern for SMBs that encourage employees to bring their own device to work. Users that jailbreak their iPhone or root their Android device could be bringing increased security risks onto the corporate network. Consider a policy restriction that bans such devices for company use.

9. Fully exit apps. Slain recommends users sign out and exit business apps when not in use rather than leaving them running in the background. That's a step that sounds easy but sometimes involves more than just closing it, depending on the phone and its operating system. iPhone users, Slain points out, must double-click the bottom button, find the app in a list, tap its icon, and then tap the minus sign that appears.

The right forensic tools in the right hands are just a start. The new Digital Detectives issue of Dark Reading shows you how to better apply the lessons they teach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dharris804
50%
50%
dharris804,
User Rank: Apprentice
1/29/2012 | 4:59:30 AM
re: 9 Password Security Policies For SMBs
You were on the right track until half way through #6, and then you blew it. Never allow shared passwords: ever. allowing employees to share passwords on inconsequential systems sets a precedent in their minds that it is OK on any sustem. There is no security if there is no individual accountability, and there can be no individual accountability if individuals are not uniquely authenticated. HIPAA is one law in particular that explicitly requires individual authentication, and failure to achieve it carries civil and criminal penalties.
Bprince
50%
50%
Bprince,
User Rank: Ninja
1/24/2012 | 4:22:36 AM
re: 9 Password Security Policies For SMBs
Not re-using passwords is an important one, but one that few seem to follow. On the other hand, not all things protected by a password are so important that you have to have a complex, unique password guarding it. A password the user can't remember is useless.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4682
PUBLISHED: 2021-01-28
IBM MQ 7.5, 8.0, 9.0, 9.1, 9.2 LTS, and 9.2 CD could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization of trusted data. An attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 186509.
CVE-2020-4888
PUBLISHED: 2021-01-28
IBM QRadar SIEM 7.4.0 to 7.4.2 Patch 1 and 7.3.0 to 7.3.3 Patch 7 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker co...
CVE-2020-13569
PUBLISHED: 2021-01-28
A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can...
CVE-2021-20620
PUBLISHED: 2021-01-28
Cross-site scripting vulnerability in Aterm WF800HP firmware Ver1.0.9 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.
CVE-2021-20621
PUBLISHED: 2021-01-28
Cross-site request forgery (CSRF) vulnerability in Aterm WG2600HP firmware Ver1.0.2 and earlier, and Aterm WG2600HP2 firmware Ver1.0.2 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.