When it comes to cyber security, prevention is always better than a cure. And strong passwords, along with a robust set of password security best practice guidelines, are crucial to protecting your business against data breaches and cyber-attacks.
In this post we’ll discuss what makes a secure password, while exploring certain password security best practice policies and procedures.
If you want to discuss your cyber security risks, we have a team of experts on hand to help. Call us on 0208 290 9080 or email us at cyber@anthonyjones.com.
How Often Should Passwords Be Changed?
It’s long been recommended that you should periodically change your passwords – every 30 days, 90 days, 180 days, or otherwise. However, the US National Institute of Standards and Technology (NIST) currently advises that you avoid periodic password changes.
Why Avoid Periodic Password Changes for All Staff?
Because when prompted to change their passwords, most users tend to recycle passwords they’ve used previously, as they find them easier to remember. Or worse, if they create a completely new password, they may write it down somewhere to help them remember it. And obviously, writing down a password can compromise your cyber security.
So rather than enforcing periodic password changes for all employees, you should instead only change passwords at key times.
When Should You Change Your Password?
You should change your password:
- After an employee’s left your business – to reduce the risk that vindictive ex-employees might access any sensitive information.
- Following any potential threats or compromises – such as when an employee accidentally clicks a link in a phishing email.
Password and Security for Your More Secure Systems
Any employees with privileged access to certain apps or systems, though, should still commit to regular password changes. You could even implement one-time passwords (OTP) for access to your most secure systems, which expire immediately after use.
What Makes a Secure Password?
Forget the “old fashioned” secure password best practice guidelines. A secure password does not necessarily have a minimum length, or a mix of characters, numbers, and symbols. Nor is a random combination of numbers and letters particularly secure. Cybercriminals can use AI and other tools to automatically generate hundreds of such combinations in no time at all so as to brute force their way into your systems.
So what makes a secure password? Here are a few ideas:
- Avoid using dictionary words. Hackers can implement “dictionary attacks” to automatically inset common words into password fields.
- Use a different password for every site and application. And make every password totally unique. This way, if a hacker obtains one password, there’ll be less chance that they’ll compromise your entire network or system.
- Use multi factor authentication. For example, through sending unique codes to employees’ mobile devices at login. This way, even if a hacker guesses or cracks a password, they still won’t be able to gain access to your data.
- Test your password. Microsoft has a handy Password Health Indicator tool which will give you an idea of how secure your passwords are.
How to Ensure Staff Have Secure Passwords
Ongoing education and training is the best way to ensure your staff have secure passwords. Advise them on the importance of password security, on the value of multi factor authentication, and on the need for setting a different password for every login.
And crucially, make sure employees never share passwords. When it comes to securing the most critical data and systems, some businesses go as far as making password sharing a sackable offence.
You can also help make password security best practice as easy as possible for your employees. For example, with a password manager system, employees only need to remember one single password. The system can then automatically and securely store strong passwords for every site and application they use.
Protect Your Business From Cyber Attacks
An intelligent cyber security policy is your business’s best defence against cyber-attacks. But it’s just as important to have a policy in place for effectively responding to threats, compromises, and breaches. And for this, specialist cyber insurance can make a huge difference.
In the event of a data breach, cyber insurance will cover your business’s liability as well as your ability to manage the impact on both your systems and finances.
If you have any questions about business insurance, or if you want to discuss whether cyber insurance is right for you, we have a team of experts ready to help. Call us on 0208 290 9080 or email us at cyber@anthonyjones.com.