Small and midsize businesses (SMBs) that struggle with information security because of resource constraints have particular reason to pay attention: Smart password practices require next to no budget. They don't need to take up much time, either, especially once your policies and procedures are in place.
"Password policy is something that's often overlooked, but it's an important part of keeping secure in an online world," said Morgan Slain, CEO of SplashData, in an interview. "It's something that SMBs can implement pretty easily."
Here are nine steps toward safer, stronger passwords--and toward keeping them that way--both in the real and mobile office.
Refresh the Fundamentals
1. Use complex passwords. Whether you've been flying by the seat of your pants or are a full-fledged security wonk, go back to the basics. "Those are things that everyone tends to slack on," Slain said, because ignoring the obvious steps is easy to do.
[ Some lessons are learned the hard way. Read Zappos Breach: 8 Lessons Learned. ]
The first of those steps: Use complex passwords. That means a case-sensitive combination of letters, numbers, and special characters--at least eight in total. Because "complex" can sometimes mean "easy to forget," Slain suggests using memorable phrases broken up by spaces, special characters, and/or numbers. "Those can create pretty robust passwords that are a lot easier to remember," Slain said.
2. Don't reuse passwords. This one's a must, yet it remains a common danger. Employees that use the same password across multiple systems--often both professional and personal--to keep things simple can turn a minor, isolated issue into a major security breach. Slain points to the recent Zappos case that exposed external customer passwords as an example.
Unique passwords help stop the bleeding much faster if a password is leaked or stolen--otherwise access to a Twitter account can suddenly turn into bank accounts, health information, customer databases, and other sensitive areas. The bare minimum practice, Slain said, should be to not re-use credentials for sensitive applications such as financial information across less sensitive--and often less secure--areas such as a blog publishing tool.
3. Change passwords regularly. It's the last piece of the holy trinity: Change your virtual locks regularly to further minimize risks. Slain recommends updating credentials at least every 60 days; better yet, do it every 30.
Go Beyond Basics
4. Double-down on email accounts. Slain thinks too many SMBs get lazy with their email passwords, leading to larger-scale problems "Those are the holy grail for thieves," he said, particularly for online applications that use the ubiquitous "Forgot Password" feature. When a hacker gains control of employee email credentials, it can turn into an all-you-can-eat data buffet--particular if that those credentials were re-used across other systems. Email breaches can also lead to increased spear phishing and social engineering risks. Treat email with a similar level of caution as bank and other high-risk accounts.
5. Restrict application settings. Particularly for online and mobile applications, it's a good idea to modify security and privacy settings to the most locked-down options. Be leery of new applications and consider using a secondary email address outside of the corporate system when testing or signing up for new online tools.
6. Consider a password wallet. One password pitfall common inside SMB offices is found in password sharing among workgroups and team members. This can lead to weak security habits, both of the analog (Post-it Notes on the monitor, yelling passwords over the cubicle wall) and digital variety (passwords shared via email, IM, and related means). A password manager or wallet application built specifically for teams can automate and secure credentials for systems that require multi-party access. "That way it's easy to organize all of your different corporate passwords, keep them changed, and make sure everyone knows what those changes are," Slain said.
Manage the Mobile Morass
7. Use a device-lock app. The mobile era has compounded the potential security threats inherent in password breaches. A lost or stolen device, for starters, can become a nightmare for the unprepared SMB. Begin by requiring--or at least strongly encouraging--staff to use a device-lock feature or app. Set it to time out automatically at one minute or less of inactivity.
8. Don't jailbreak or root phones. This one's likely to be a particular concern for SMBs that encourage employees to bring their own device to work. Users that jailbreak their iPhone or root their Android device could be bringing increased security risks onto the corporate network. Consider a policy restriction that bans such devices for company use.
9. Fully exit apps. Slain recommends users sign out and exit business apps when not in use rather than leaving them running in the background. That's a step that sounds easy but sometimes involves more than just closing it, depending on the phone and its operating system. iPhone users, Slain points out, must double-click the bottom button, find the app in a list, tap its icon, and then tap the minus sign that appears.
The right forensic tools in the right hands are just a start. The new Digital Detectives issue of Dark Reading shows you how to better apply the lessons they teach. (Free registration required.)