Go Beyond Password Management to Keep Data Secure
A strong password policy is only the first line of defense when it comes to keeping your organization's data and information safe.
Articles published March 16, 2017 by Mike Wallen
It is extremely important to have a thorough password policy in place for all employees, but this shouldn’t be your only defense. It’s best if a strong password is the first layer of your organization’s security, not the only one.
To fortify your first line of cyber defense, follow these tips for an effective password policy:
- Follow password best practices.
- Minimum length of eight characters (ten or more is recommended).
- Include at least one number and special character, but do not require overly complex composition rules.
- Prevent user-related information and use a common password dictionary (ban list) to ensure obscurity.
- Do not allow for password hints and use Two-Factor Authentication (2FA) if allowing a Forgot Password functionality.
- Ensure any stored passwords are strongly salted and hashed.
- Make a unique passphrase.
- Set specific policies.
- Use two-factor authentication.
Follow up a strong password policy with additional layers of data protection. That way, even if one employee makes a password mistake, your organization is still protected. Beyond the password policy, here are some additional ways your organization can stay secure.
Mobile Device Management (MDM)
Mobile devices are another important piece of the puzzle when it comes to password protection and your organization’s security. At a basic level, the goal of mobile device management is to protect the data on employee devices. With the sudden increase in remote work, and thus, mobile devices, MDM reduces the risk of a mobile device being compromised, and can also help secure your data in the rare instance it does become compromised. Most MDM systems allow you to manage the users’ devices, establish a user policy, and wipe or reset the device in certain cases. Ensure your mobile device policy is clearly outlined and communicated in your organization’s information security policy.
Many organizations are adopting a Bring Your Own Device (BYOD) mentality, where employees use their own tablets, smartphones, and laptops. While this can save the organization money, it also comes with its own set of challenges. One big issue surrounding BYOD — and personal technology as a whole — has to do with privacy and security. Whether it’s through apps, training, or just well-worded policies, you need to ensure that your employees aren’t sharing confidential information about your business or your customers. Hosted virtual desktops are one cost-effective and secure solution to consider if your organization has a BYOD policy.
At the very least, you should have a plan in place that preserves employee privacy and doesn’t leave your company liable to charges that you’re using technology intrusively. This goes hand-in-hand with mobile device management, and can benefit your organization in the long run (especially if an issue ever does occur).
Data Loss Prevention (DLP)
Another layer of protection can be added with a data loss prevention strategy. A DLP strategy should include prohibiting employees from sharing, uploading, or emailing confidential or personal information without taking the necessary security precautions. Your IT department can enable certain applications to help enforce these measures, or, if you partner with a managed IT service provider, check that this is included in their comprehensive proactive protection.
Additionally, having specific, secure locations for storing sensitive data can help ensure your data is protected where it's supposed to be.
You are likely familiar with two-factor authentication (2FA), which adds an additional layer of security by requiring two forms of identification when trying to access an account.
Specific ways that organizations implement the second layer of authentication vary. If your organization hasn't already implemented this enhanced security protocol, there are different ways to do so. Here are some common ones:
- Receiving a text message, phone call, or email with an access code.
- Having to type in the phone number or email address associated with an account.
- Answering security challenge questions.
- Choosing the correct image.
- Typing in a phrase from an image.
All of these features can be instrumental in ensuring peace of mind when it comes to securing your organization’s data. While an effective password policy is a necessary thing, there should be more to it than just basic password restrictions. Consider if your organization could benefit from mobile device management, data loss prevention, or multi-factor authentication, and if your information security policy detailing all of these procedures is up-to-date.
What protection and processes does your organization currently have in place for keeping data secure?