According to research by LastPass, despite 92% of online users recognising that using the same password is a risk, 65% still reuse theirs across accounts, increasing the risk of a data breach. Following on from this, The National Cybersecurity Alliance launched a recent report which revealed that 48% of respondents said they have never heard of multi-factor authentication.
Cybersecurity awareness should be an all-year-round activity, and this is another reminder for organisations to renew their employees’ cybersecurity awareness training. Using strong passwords for account logins is one of the basic steps, yet time and time again, employees fail to comply with security policies at work.
For organisations, employees neglecting to set strong passwords or having poor password habits can increase vulnerability to its cybersecurity strategy. If a password is exposed in a data breach, and the employee uses that same password for their company account logins, it can be extremely detrimental.
It’s worrying how many people continue to use simple passwords. The latest findings by CyberNews, which analysed more than 15 billion passwords, found that the most common passwords included “123456”, “123456789”, and “qwerty”. It takes cybercriminals less than a second to hack into accounts using these.
Here are some top tips to strengthen your organisation’s password hygiene:
1 – Use complex passwords
Having a robust password means creating one which is long and difficult to guess. This should include a minimum of eight characters, a mix of upper- and lowercase letters, numbers and symbols.
CyberNews’ research revealed that the internet’s favourite names in passwords included “Eva”, “Alex”, and “Anna”. Employees should avoid using names, phone numbers, birth dates, consecutive numbers or letters, their username or email address and words from the Oxford dictionary, as these are all easy to guess.
2 – Create paraphrases
Remembering passwords can be tough, which is why employees slip into bad habits of reusing the same password across different accounts. Repeating passwords is one of the worst things to do. Organisations can educate employees on using a phrase for their password that is meaningful to them and change some of the characters to improve the password strength.
Take the phrase “hit the hay”. Changing some of the letters for numbers and symbols can help create a stronger password, resulting in something much harder to guess like “[email protected]”.
3 – Never share passwords
While it might be easy to give colleagues access to a piece of software by sharing login and password details, this is not wise. Passwords can be easily compromised this way, and when shared across unsecure platforms, it’s just asking for a disaster to happen.
Educate employees to be aware of phishing scams. Phishing attacks can attempt to penetrate cyber-defences by going after employees. Employees who may be distracted or busy with work may fall into a cybercriminal’s trap by clicking on a suspicious link to validate their account on Office365 or update their password. The next thing they know, a hacker has access to their password and has compromised their work account.
4 – Change passwords when prompted
Earlier security advice suggested employees must change their passwords every three months, but experts found that this led to employees creating weak passwords as they changed them so often. So, as long as employees use unique, strong passwords for each account, and have added security layers such as two-factor authentication, it’s less necessary for them to be changed so often. Despite this, employees should always follow advice from their IT/security teams if prompted to change a password. This could be a precautionary measure if IT teams are worried about potential data breaches or leaks involving the system.
One way to check if someone’s details have been involved in a data breach is by checking them on https://haveibeenpwned.com/. Organisations should share this advice with employees for them to verify if their details have been compromised. This site scans known data breaches for the user’s email or phone details and tells the user which ones their details have been exposed in. This makes it easy for the user to change passwords associated with those accounts.
5 – Use password manager software
Good password hygiene involves using unique passwords for each account – although remembering lots of strong passwords can prove difficult. While it is tempting to use browser-based password managers, this is not too secure. Organisations can recommend employees use specific password management software to help record and store passwords securely and to reduce the risk of a breach.
6 – Set up multi-factor authentication
Multi-factor authentication password practices strengthen an organisation’s cybersecurity strategy. While it only requires adding another layer to the sign-in process, it significantly reduces the risk of a hacker infiltrating an employee’s account. Each time an employee logs in to the company account from a different device, multi-factor authentication should prompt them to enter an authentication code to verify their account. This is usually done by sending a one-time password code to their phone via text message or using backup codes for employees who do not have access to a mobile device.
Educating employees on good password hygiene is a straightforward way to strengthen your organisation’s cybersecurity strategy and reduce the risk of data being compromised. With employees being an organisation’s first line of defence, it’s more important than ever for them to learn good password habits.
Having completed his degree in Networking & Communications Technologies, Jason Stirland has spent nine years working in eLearning. From starting his career as first-line technical support, Jason has expanded his role to incorporate programming and sales and often hosts consultative software meetings for key clients. Jason has been responsible for developing DeltaNet’s Astute Learning Management System, as well as the organisation’s IT/security infrastructure and software strategy.