Implementing a Password Security Policy at the Workplace for NCSAM

Every October, the Department of Homeland Security (DHS) acknowledges National Cyber Security Awareness Month (NCSAM) to help individual users and companies stay safe online. All NCSAM themes are connected by a single point of understanding: cyber security is a personal matter. As such, it often takes a person-centric approach to mitigate IT security risks. For example, insider threats, which we discussed in our first post for Week One of NCSAM, carries the risk that some of our employees might want to compromise companies' information security. Organizations can best address insider threats by conducting background checks of potential employees and taking other precautions with their workforce. Similarly, ransomware personally affects each victim by denying them access to their data, which for companies could mean an important customer's business profile or W-2 information for employees. Organizations aren't powerless to defend against ransomware attacks, however. They can follow this three-pronged approach to prevent (and prepare for) an attack. Many aspects of cyber security affect us personally, but compared to other facets of our digital lives, nothing is more personal than our passwords. That's why organizations must provide their employees with good password security practices, which starts with teaching them how to protect their personal accounts. Zoë Rose, cyber security analyst, is a firm advocate of this position:

"Positive user experience is lacking when dealing with passwords, never mind with multi-factor authentication. The culture surrounding authentication is confusion. Users aren't aware of why they need to care, and therefore they don't. For companies to stay vigilant, they need to make users more aware and bring the fire closer to your employees (bring them closer to the risk). They need to build awareness focused on personal accounts."

Here's how your company can build a proper password security policy at the workplace.

Establishing Personal Password Security Practices

Creating strong passwords isn't as difficult as remembering them and saving time when you're attempting to log into one your accounts. Fortunately, we are well past the days of having no option but to write all of our passwords down in a Word document. We can now download password managers, software which stores our passwords for us and auto-fills our login information whenever we visit a saved website. According to Brad Winckler, a researcher in Tripwire's R&D organization, password managers streamline our web account security and can help employees make other secure decisions, like creating harder-to-guess answers to their web accounts' security questions: Additionally, no one should ever pass up an opportunity to take advantage of additional layers of security. That includes implementing two-factor authentication (2FA). Winckler couldn't agree more:

"I can't mention secure passwords and secure security questions without also reminding everyone to enable two-factor authentication for any online site you use that supports it. You can check many popular sites and services for two factor authentication support at https://twofactorauth.org."

Integrating Password Security into the Workplace

Once companies have impressed their employees with the importance of choosing strong passwords for their personal accounts, they can develop policies that all employees must follow with regards to their business emails. Rose elaborates on that point:

"Companies need to actually implement a proper password policy that can be validated! That includes implementing multi-factor authentication as well as showing users what a secure password is and is not."

With a policy in place, all that remains is for organizations to evaluate their employees against those standards. Rose feels companies can best accomplish that goal by implementing security training on an ongoing basis:

"Organizations should also run exercises to proactively check if users are following your guide, make the culture positive, and never attack a user who isn't aware. Think of yourself as the big sister or brother who has years of wisdom in cyber security. You want to protect and teach users. If the human aspect is the weakest, train it not to be."

Conclusion

We've all heard rumors that passwords are dead and that something will soon replace them. But that hasn't happened yet, partly because those means of authentication carry their own risks. Angus Macrae, Certified Information Systems Security Professional (CISSP), weighs in:

"Whilst we can expect biometrics combined with the likes of location and contextual behavioral analytics to become more reliable and commonplace [than passwords], these will only be as good in terms of both the security and user experience they offer, as well as the way in which they are implemented, maintained, and monitored. The Office of Personnel Management (OPM) breach has clearly demonstrated how a compromise of insufficiently protected biometric information can be far more devastating to recover from than a straight password haul. After all, there is no quick way to immediately reset everyone’s fingerprint."

With that in mind, Macrae feels it's up to the security community to make it easier for users to make the right choices regardless of the authentication method. That includes instructing them about available authentication technologies (password managers) and teaching them to care about their personal accounts so that they can take the security of their business emails seriously. This post concludes Week One of NCSAM 2016. Stay tuned for Week Two, when we will examine how employees can help build a security culture at their organizations.