Your employees have a huge impact on your company’s security. If they choose easy-to-guess passwords or reuse the same password on personal and business accounts, you may be the one who pays for their poor choices. The recent rash of security scares brings this risk more to light than ever. Here are the steps you need to take to protect your business.
Implement a Password Policy
The first action to take is to create and roll out a strong password policy. The standard for strong passwords is at least 8 characters, with some combination of letters, numbers, and symbols. Password changes should be required at least quarterly, and new passwords cannot be repeats or variations on previous passwords.
Most companies with Windows servers have the ability to configure and roll this out very quickly. It’s largely an automatic process, aside from helping people when they forget their new passwords. This will happen, a lot! Be sure to educate your team so they know what’s happening and why.
Limit Personal Use of Company Resources
Many companies are fairly relaxed about letting employees access the Internet and email for personal use. There is a hidden downside: your employees may surf sites that are unsafe, they may download programs that contain malware (malicious software), or they may open attachments on personal email accounts that contain viruses. You can lock down company resources, but when an employee is free to access their own websites and accounts, you never know what they might bring into your company’s network. You can minimize this with strong antivirus protection, firewall security, and web filtering. However, your employee may still click the wrong link or open the wrong attachment. Just like that, their computer and possibly more can be infected.
Scan for Malware Regularly
You should have antivirus software in place, with regular scans. Make sure you also scan for malware, which may be a separate program or security subscription. Malware is malicious software that runs on your computer in the background. It is usually fairly stealthy and not obvious, although if your computer seems to be running slowly that is often a symptom. These programs quietly log keystrokes, gather financial information, and/or collect passwords. This information can be used for a variety of purposes, none of them good.
If you want to be extremely strict you can set security policies that block employees from installing new programs on their computers. This will prevent the installation of malware. These policies tend to create other complications though, because then all software has to be installed by a system administrator. Some programs even require administrative access to run, so this won’t be possible. If you go this route, your IT staff will have to be on the ball so that they can handle the extra work this will create for them.
Terminate Use Credentials Immediately After Departure
When employees leave, disable their user accounts immediately. If you need an account to remain active – for example, to forward their email to another employee – at least change the password so the former employee no longer has access. This applies to anyone else who has company access, including consultants, contractors, vendors, interns, etc.
Monitor Failed Login Attempts
Set your systems to track failed login attempts. This could be remote logins for people working from home, email access on mobile devices, logins to web-based software applications, and any other core business systems. If you see a large number of failed attempts in a short period of time, either you have a very frustrated employee with a bad memory, or your company is under attack. You will need to assess the situation promptly and take steps to ensure that your security is not at risk.
Restrict Administrative Access
Your staff should never have full administrative access to your systems unless there is excellent reason for it. Administrative rights, or credentials, mean that a given user can do anything they want inside a system. They can add, change, or delete anything; they can even change other people’s security permissions. Outside the IT department, it is rare for anyone to have full rights. An individual may have administrative access to their own PC, but not to the network, to any of the servers, to your software systems, or anything else that’s not specific to them.
Consider Two-Factor Authentication
If you still have security concerns, check out two-factor authorization. This requires both a password (the “first factor”) as well as a code or number that’s randomly generated by a second device, usually an electronic token. The code is entered at login, along with the password. Since the token changes values all the time, it cannot be written down or passed along to someone else. This greatly increases security although it makes the login process slightly more time-consuming.
Use Password Management Tools
A great way to discourage use of the same password on all systems is to use a password management tool. These are available for individuals as well as entire companies. There are web-based applications, apps for your mobile device, and desktop programs. The whole idea is that by having a secure place to store passwords, you can use a greater number of them without fear that you will forget. Most include a random password generator and a cut-and-paste feature that eliminates the need to retype each password every time.
Conduct Security Awareness Training
All the measures in the world won’t help if employees don’t take these policies seriously. Many people still think – mistakenly – that there is little chance their noncompliance could ever cause a problem. Recent outbreaks like the Heartbleed Bug and Cryptolocker virus reveal that nothing is further from the truth. One employee’s weak password or accidental download can take down an entire company’s data network. Now that you understand this, you must train your employees so that they too can understand how important these policies are.