Passwords are Not Enough for Small Business Security

02/07/2015

By Mike Foreman, Senior VP and General Manager, AVG Business

From Target to Sony Pictures, security breaches at businesses of all sizes were in the headlines throughout 2014 and a year later, it’s clear the data breach stories show no sign of abating.

Whether it’s a specific hacking attack on a British shoe retailer or hacktivism at companies with millions of online members, the loss or compromise of passwords is frequently a common factor.

Ever since they emerged in the late ‘90s, passwords have been our primary security measure. Fast forward to today and we often find that employees are still routinely using the same style of basic password – except now these passwords are required to protect smartphones and tablets carrying sensitive company-related data, as well as social media and cloud-based applications used regularly in the workplace.

In fact, the top password is still ‘123456’, seconded by ‘123456789’ and ‘password’ ranking in third place.

It’s clear that conventional password use is no longer fit for 21st century purpose and businesses must adopt additional measures to ensure their passwords are up to the task.

Extra levels of authentication are needed to verify the identity of employees using their passwords, and businesses should start to enforce these as standard within their organisation, especially if they have in place bring your own device (BYOD) policies. In my view, many of the user identity breaches reported in the news could have been prevented with better password practices and stronger, multi-factor authentication methods. Here are my five top tips for more effective password management:

1. Make sure security measures include formal staff training on password best practice. Passwords need to be strong, long and as secure as possible – complicate them by using “passphrases” rather than individual words – e.g rather than “spotthedog” use “5p0tth360g”.

2. There is no harm in turning on “two step authentication”. Most services are offering this now and is a simple code based system that send you a numeric password by SMS/Text to secure you login credentials.

3. Create a single profile for all corporate log-ins, with segmented privileges for individual employees within the same profile. This way, when someone leaves the company, they can be removed automatically.

4. Some mobile phones now provide both identity and access management capabilities. Encourage employees to adopt these and incorporate them as part of your BYOD policy.

5. To aid productivity, make it easier for employees to work anywhere, anytime with mobile technology by moving to a single sign-on environment where every employee has one-click access to a secure area in the cloud containing all of their work accounts and applications.

This constant flow of data breach stories in the media has done much to raise awareness of the issues around passwords. Education is positive, of course, but action must be taken to foil the hackers.

If your business is supported by a mobile workforce equipped with either work or personal devices which provide ready access to company sensitive systems and information, ask yourself that important question: what password practices do I need to implement to keep those devices and that data secure?

Don’t take it for granted that your people have the knowledge to handle this themselves. Instead make sure you equip them to help protect your company.