When I talk to a business about data theft, one of the topics that always comes up is password security. You can have one of the most advanced security systems in place, but if that security system has people and passwords as a component, there will be vulnerabilities. Employees have bad habits when it comes to creating and managing passwords. In a survey CSID conducted in 2012 on password habits, we found that nearly two-thirds of the respondents (61%) admitted to reusing the same password for multiple sites, and 44% of respondents said they change their passwords only once a year or less.
When your employees create weak passwords for their employee accounts and reuse these passwords across multiple sites, new risks arise for your business. An employee's password compromised from another company's data breach can open up vulnerability on your site. If a password is stolen for an executive or IT employee, for instance, a data thief no longer has to worry about beating the company's security systems or evading anti-intrusion technology - they simply have to login.
Your business' security system is only as strong as its weakest link, or weakest password connected. To minimize the risk and impact of weak passwords and poor password habits, which can result in a compromised system and data loss, you should consider the following:
1. Educate employees: In the survey we conducted, 89% of respondents felt that their accounts were secure - yet 61% claimed to reuse passwords. This shows that there is a definite disconnect in perceived password security and actual security. One of the first things you should do when securing your company's passwords is to start with the group that is in control of them - your employees. Sit down with employees and educate them on best practices and company policy. If it is a company-assigned password, make sure they know not to use that password on any other site. If they have the ability to create their own passwords, then require them to make a strong one and encourage them to update the password at least once a quarter.
2. Monitor employee credentials for compromise: Monitoring is one of the easiest ways to mitigate password risk because it requires little-to-no input from the employee. Use an identity theft monitoring service to monitor for compromised employee credentials. The service will notify the business if an employee credential has been compromised. Once the alert is received, you can immediately take action and change the password, update login information or be on high alert for any suspicious activity on your system. If employee information is compromised on another site, you will still know and can take action.
3. Consider two-factor authentication: Businesses should definitely look into adopting two-factor authentication whenever possible. Authentication factors include: something the employee knows (a password or personal question), something the employee has (a mobile device or smart card), and something the employee is (a biometric like a voiceprint or fingerprint). Two-factor authentication uses two of these three elements to verify an identity. And because it is unlikely a data thief will have access to more than one authentication factor at a time, two-factor authentication makes your business' system inherently more secure.
While employees often have the best intentions when it comes to passwords, their actions typically do not follow suit, putting your business at increased risk for compromise. Simple things like proactively monitoring for compromised employee credentials and implementing a simple lesson about password best practices can significantly reduce the risk and impact of a data breach for your business.