There are only two types of employees when it comes to IT security: major risk employees and minimal risk employees. The only difference is that the minimal risk employees have been trained, have a sense for what is unsafe behavior and take action to protect themselves and the organization.
So how do we get to a minimal risk IT employee? That’s where end-user security training comes in. This is the first in a series of articles that will help you train your employees on IT security.
If you follow these rules, bad actors will most likely get discouraged and leave you to find an easier mark
Password Strength and Reset
We all hate resetting our passwords every three months. As soon as you start to remember your password by heart, you end up having to reset it.
If you’re one of those IT shops that has decided the annoyance of a reset is not worth the result, I have news for you: you are the slower guy running from the lion.
You can’t afford to not change your password on key systems every three months. It would be like moving into a new house and keeping all the same locks as the previous owner.
So, what needs to be reset every three months?
Passwords to Reset Every Three Months
- Windows login: Obvious and easy to automate – make sure every single user is doing it.
- Email/Office 365: Once again, easy to automate and can tie into your Windows login refresh.
- Hardware, especially routers and firewalls: Many IT admins leave the default “admin” username and the passwords on their routers and firewalls. This is the easiest and most common way for a threat actor to get behind your IP address and start poking around.
- Customer relationship management (CRM): Should be automated by your CRM supplier, but make sure that any software that has an API into it is also following two-factor authentication with a force password reset.
- Marketing automation: Marketo, Hubspot, Constant Contact, etc. Anything that houses customer data needs to comply with General Data Protection Regulation (GDPR) and have strict two-factor authentication on it. I’m isolating this specifically because it’s a growing attack landscape.
Password Do’s and Don’ts for Everyone to Follow
I’ll mention this again later because it’s really important, but don’t make exceptions for anyone on your staff to opt-out of your password policy, ESPECIALLY the executive team.
While executives may gripe about password resets more than any other group at your organization, they are the most frequently targeted group. We’ll talk more about the finance team in another article.
First, the don’ts. Avoid using the following in your passwords:
- Address (home and office)
- Date of birth
- Phone number
- Personal, child or spouse birthday
- Anything about you posted on social media as an interest, including sports teams, hobbies, cars, etc.
Try to avoid using common phrases in your passwords as well, such as these:
- Qwerty (in any form without special characters)
- Sports teams, like Liverpool or Manchester in the United Kingdom or Cowboys or Lakers in the United States
- Swear words – very common, actually. The “f” word ends up getting turned back on you when the hacker is breaking into your account, though.
Now for the do’s. As far as password strength goes, it’s well known in 2019 that you should include the following:
- Upper and lowercase numerals
- Special characters e.g., !@#$%^&*()