Global Change Your Password Day: A Call to Action
Table Of Contents:
February 1 marks Global Change Your Password Day, which was established in 2012 to encourage awareness of good password management practices. It’s no secret that human error is the leading cause of data breaches: a 2022 study by the World Economic Forum found that 95% of cybersecurity issues stem from mistakes.
With cyber threats only continuing to multiply, it’s more important than ever that businesses take preventative action to mitigate human-shaped risk, including improving password management.
The Importance of Good Password Management
Passwords are the first line of defence in cybersecurity—the keys to our digital front door. Enforcing good password management is, therefore, a critical component of any business risk management strategy. Weak, easy-to-guess passwords increase the risk of successful data breaches, allowing hackers to access private emails, networks and sensitive corporate and customer data.
Data breaches also create reputational and financial risk. The IBM Cost of a Data Breach 2023 report found that the global average cost of a data breach to a business was $4.5m, a 15% increase since 2020.
Reputational damage can also have a significant impact. In 2018, Facebook’s share price plummeted by over $100bn after the data breach incident involving Cambridge Analytica. British Airways suffered a drop in reputation score and share price after a 2018 data breach that saw hackers access the personal and financial information of nearly 500,000 customers.
Additionally, good password security can help improve compliance with data protection regulations like the EU General Data Protection Regulation (GDPR) and information security standards like ISO 27001.
Password Management Challenges
In an ideal world, every employee would have a unique password for each login. In practice, remembering multiple different passwords isn’t practical and can lead to password fatigue. Enforcing compliance with password policy can also be tricky. A good place to start is to set up system rules for password length and require passwords to be updated after a certain amount of time.
Best Practices for Business Password Management
Organisations can ensure they follow password security best practices in various ways:
Password Length And Complexity
Consider setting requirements that passwords be between 12-20 characters, with a range of lower-case and upper-case characters, special characters and numbers for increased strength. A study by Carnegie Mellon University’s CyLab Security and Privacy Institute found that requiring a minimum strength and a minimum length of 12 characters created a good balance between security and usability.
Update Policies
While Global Change Your Password Day is a timely reminder to update passwords, it shouldn’t be the only time passwords are changed. Security software company McAfee recommends that passwords should be changed every three months.
Password Reuse
It can be tempting for employees to use the same password for several accounts within their work environment. However, this increases the risk of account takeover. If a threat actor has access to one account with that password, they will effectively have access to them all. Employee training and education can help mitigate this risk by discouraging password reuse.
Password Management Tools
Whether standalone or included within browsers, these tools are designed to bridge the gap between security and usability—by storing and securely recalling strong, unique passwords for every site and application. However, it’s essential to note that if a hacker gains access to the password management tool, they will be able to compromise all of the passwords stored within.
Implementing Multi-Factor Authentication
Multi-factor authentication (MFA) requires the user to provide two (or more) forms of verification to access an account. For example, MFA may require the user to log in with their username and password, then provide a one-time password (OTP) texted to their phone. The user must provide both their password and the one-time password to access the account, adding an extra layer of security.
There are several types of MFA:
OTPs And Time-Based OTPs
OTPs are a strong form of MFA and can be sent via authenticator apps, password managers or text messages (SMS). Once the password is used, it is no longer valid for use again. Time-based one-time passwords (TOTPs) add an extra layer of security because they are only valid for a limited amount of time.
Using OTPs and TOTPs with an authenticator app or password manager is more secure than receiving them via SMS. Text messages are susceptible to SIM hacking, intercept attacks and social engineering.
Email MFA
Email MFA involves the user’s second form of authentication being delivered to their email address. This form of MFA, while easy and accessible for users, poses similar risks to SMS OTPs should a hacker have access to the email account to which the code is being delivered.
Biometric MFA
Biometric MFA uses facial recognition, a fingerprint scan or an iris scan to validate the user’s identity and can be a strong form of authentication. It is commonly used on mobile phones, as the user can configure biometrics instead of using a personal identification number (PIN) to unlock the phone and even use them to access secure apps such as authenticator and personal banking apps.
While biometric MFA is one of the more robust forms of authentication, users can still be susceptible if their biometric data is stolen. Unlike passwords, this data cannot be reset or changed.
Employee Education And Policy Enforcement
One of the main barriers to enhanced password security is the risk of human error. Employee education is critical to ensuring everyone in the organisation knows the risks associated with bad password management and their cybersecurity responsibilities. However, it’s also essential to provide solutions that allow staff to focus on their work and avoid password fatigue.
Cybersecurity Training
Investing in employee cyber-awareness training can help keep the business secure and ensure staff are able to spot and report other risks, like attempted phishing attacks. Many dedicated training platforms enable organisations to run courses across the business, monitor who has completed the required training and automatically send email reminders to laggards.
Password Policy
Develop a password policy aligned with best practices, and communicate that policy across the business. This can be done alongside cybersecurity training to help everyone in the company understand the decision-making behind the policy and improve employee adherence.
Policies could specify minimum password length, complexity, allowed character types, and other elements. As mentioned, the IT team can also set up employee devices to require updates after a certain period of time, such as 90 days.
How ISO 27001 and Other Frameworks Can Help
Information security frameworks like ISO 27001 and regulations like the GDPR require businesses to take action on password security.
For example, the GDPR requires businesses to process personal data securely using “appropriate technical and organisational measures”, while ISO 27001:2022 Annex A Control 5.17 requires that authentication information be kept secure. The control guidance also states that users should select hard-to-guess, strong passwords in compliance with industry standards:
● Passwords should not be based on personal information that can be easily obtained, such as names or birthdates.
● Passwords should not be founded on information that can be readily guessed.
● Passwords must not comprise words or sequences of words that are common.
● Use alphanumerics and special characters in your password.
● Passwords should have a minimum length requirement.
Five Steps to Improve Password Policy
1) Audit Current Password Policy
Review the organisation’s existing password policy. Does it need to be updated or improved? If there isn’t a current password policy in place, develop one in line with industry standards.
2) Communicate Across The Business
Ensure all staff are aware of new or updated password policies. Define the policy and why it’s essential, and consider training employees in tandem. Organisations should also look at training managers so they can advocate the policy to others.
3) Implement Password Management Tools
Choose approved password management tools. Using a management tool lightens the load of remembering several different credentials for different accounts, improving the likelihood of employee uptake.
4) Use MFA
Implement MFA as an additional way to authenticate users and mitigate the risk of phishing.
5) Invest In Employee Education
Train employees to follow a new or updated password policy and educate them on using password management and MFA tools. This can improve buy-in and help staff understand the importance of good password management.
It’s Time to Take Action
In our digital-first world, it’s more important than ever for businesses to take stock of their cybersecurity. Global Change Your Password Day serves as a call to action for business leaders. Now is the time to proactively identify areas of vulnerability, including poor password policies, and reduce the risk posed by cyber-threats to businesses, data and – by extension – people.
Ready to take action to secure your business and improve your password management? Learn how our information security management system (ISMS) solution can help your organisation improve security posture and align password policy with powerful information security frameworks.