EDITOR’S QUESTION
WHAT BEST
PRACTICE APPROACH
SHOULD BUSINESSES
TAKE TO PASSWORD
SECURITY?
//////////////////////////////////////////////////////////////////////////////////////////////////////////
P
assword protection is a critical
component of a strong business
cybersecurity strategy. Kevin Curran,
Senior Member of the IEEE and Professor
of Cybersecurity at Ulster University, says
that the number one rule for companies
to manage passwords securely is for their
employees to use different passwords across
all sites. However, in doing this, individuals
often forget their passwords, which not only
impacts their productivity in the workplace,
but also results in a headache for IT teams.
Businesses must have a reputable password
manager, which will create complex, strong
passwords and store them in an encrypted
file. Employees will then only need to
remember one master password and the
password manager will automatically take
care of logging them into different sites with
secure passwords.
Curran believes that the problem with
passwords is that they can quite easily be
guessed, so companies should also enable
two-step authentication, when offered.
“Many sites now ask individuals to associate
a mobile phone with their account. The
premise is that two-factor authentication
does not allow anyone to login to an
associated account without access to a
phone, which is registered to that account,”
said Curran. “In theory, this should prevent
34
INTELLIGENTCIO
any third party from hijacking that account – as long as they do not
have the phone in their physical possession, as the registered phone
will give them an ephemeral code to login. Of course, this has been
used to date as a supplement to the password. However, now there is
a move to phase out the traditional password.”
Curran says that when it comes to securing a business device,
hardware security keys are also excellent for protecting accounts
and systems.
“Biometric, authenticator apps, or hardware token solutions, may
not provide individuals with the complete authentication solution
they need right now to more fully secure their accounts and
systems, but they will play an increasingly important role in the days
ahead. Hardware security keys are a step in the right direction and,
combined with strong passwords, they are a useful defence.
“Businesses can use online websites that search across multiple
data breaches to see if an employee’s email address has been
compromised. Here, the individual submits their email address to see
if their personal details have been released in previous website hacks
and you can also register your email to receive future notifications
if your details appear in a future hack. If you do find your details
registered, then the best practice is to login into the site where you
were compromised and change your password. Companies can also
then watch out for phishing emails from the site just hacked.
“Device default passwords are also deadly in the enterprise.
Employees should be encouraged to always change default
passwords whenever buying an Internet-connected device, such as
a router, a new work laptop, or even connected CCTV. In fact, every
device purchased and used within a company that has a default
password should be changed on first use,” advised Curran.
www.intelligentcio.com