Every organization has countless passwords (keys) to access their corporate network. Each employee manages passwords for various systems like email, VPN, ERP, CRM, and HR. Executives and accountants often have even more to protect, accounting and financial systems, banking information, and maybe even proprietary data or trade secrets. Unfortunately, many companies have terrible password practices and treat digital security like physical house keys—using one password for multiple doors, which is risky. Digital security requires stricter measures as inadequate password practices can lead to severe consequences. Sharing passwords across accounts is like leaving a key under the doormat—the easiest place for attackers to find.
The danger of shared passwords is that it takes only one compromise to open all the doors. If one account gets compromised, every other account that uses the same password is instantly vulnerable. When a user’s Facebook password happens to be the same as their personal banking password and their company’s VPN login the Facebook password that gets compromised on their weekend vacation provides direct access into their finances and your corporate network. Threat actors know humans are lazy and often reuse passwords so they leverage this habit when they get their hands on one of your passwords to try to open doors that they just might have the key to. Best practice is to never use the same passwords for two accounts and never use the same password that you do in your personal life in your business life. Create unique passwords for each account so one leaked password doesn’t compromise multiple systems.
Strengthening Security with MFA
One of the most effective defenses against cyberattacks is enabling Two-factor Authentication (2FA) or Multi-Factor Authentication (MFA), on all your accounts. 2FA and MFA act as an extra layer of security by requiring not just a password, but a secondary method of authentication, such as a code sent to your phone. This means that even if someone gets a hold of your password, they still won’t be able to access your accounts without the second factor. 2FA is a specific type of MFA that uses exactly two factors, whereas MFA can use two or more factors for enhanced security such as password, a code sent to your phone, and a fingerprint scan.
Implementing MFA across all critical systems is best practice and quickly becoming a regulatory standard across industries. In finance, healthcare, government, defense, and law enforcement there are specific regulations in place requiring MFA to protect sensitive data. Additionally, MFA is becoming a condition for coverage with many cyber insurance providers including AIG, Chubb, Travelers, Liberty Mutual, Berkshire Hathaway and more.
Strengthening Security with a Password Manager
With dozens of accounts to manage, employees often reuse passwords. Sometimes we’re just lazy in the moment and can’t give enough thought to create something unique. That’s where a password managers come in. Password managers can generate and store strong, unique passwords for each of your accounts, ensuring you never have to rely solely on your own memory to create and remember passwords. The only password you need to remember is the “master password” that unlocks the vault (with MFA on it as well of course!). A password manager is not only a convenience but a critical step toward a secure digital life, especially in a business environment.
In general, password managers have not been as strictly enforced as the use of MFA. HIPAA recommends covered entities implement strong access controls to protect patient information such as using a password manager, but it does not explicitly require their use. Even the National Institute of Standards and Technology (NIST), which provides the backbone for many financial and government regulations, recommends the use of a password manager to create and store unique passwords, however, adoption of password management in the workplace is not as prevalent of the use of MFA. If your organization is not providing or requiring employees tp use a password management tool implementing one would be a strong improvement in the security posture of your organization. Even if they are not specifically mandated, password managers are highly recommended to enhance security and data protection.
If you’re not familiar with the benefits of a password manager let’s quick look at the benefits that you can derive from implementing such a solution:
- Strengthen Data Protection for the Organization
Password managers enforce the use of strong, complex, and unique passwords for every account, significantly reducing the risk of breaches caused by weak or reused credentials. In a business setting, where employees handle sensitive data, ensuring robust password practices is essential to safeguarding company information. - Boost Productivity & Improve Workflows
Mistyped and forgotten passwords are no longer a frustration as using a password manager will enable you to auto-fill passwords on legitimate, recognized websites. A password manager allows employees to log in quickly and securely, boosting productivity by saving time while eliminating the need to constantly reset forgotten passwords. - Centralized Control and Access Management
IT administrators can manage user access to critical systems and data by centrally controlling who has access to what. Password managers can allow for role-based access, ensuring that employees only have access to the tools and accounts they need, while also enabling quick deactivation of access if someone leaves the company. - Enhanced Compliance and Audit Capabilities
Password managers not only enforce security policies like regular password updates and two-factor authentication but also provide audit trails. This allows companies to monitor and log password-related activities, helping to demonstrate compliance and identify security risks. - Secure Credential Sharing
Sometimes teams need to share login credentials for collaborative tools or shared platforms. A password manager enables secure, encrypted sharing of these credentials among team members, eliminating the risk of sending sensitive information through unsecured channels.
Investing in a password manager protects your company’s data and its reputation. In your personal life, the same is true, as a password manager can make it easy to follow best practices and protect all of your personal accounts with unique credentials to limit the exposure of a leaked password.
October is Cybersecurity Awareness Month
Don’t get spooked, get smart and deploy password best practices at home and in the office! Setup MFA on all of your accounts, review your passwords and change any duplicate or similar passwords to ensure each is unique and start using a reputable password manager to make it easier on yourself. There are several free and low-cost password managers to choose from for personal use. One such example Advanticom recommends is Bitwarden (https://bitwarden.com/products/personal/). For in-office use your IT administrator should consider available options from market leaders and if they need any advice we’re always happy to assist and make recommendations based on the size and needs of your organization. In the spirit of Cybersecurity Awareness Month make it discussion at work and at home to ensure those that you care about are also setting up their own defense to protect their digital lives so personal and corporate data is protected. Small actions, like enabling MFA and using a password manager, can make a world of difference!