Privacy: the state of being free from public attention, or a state in which one…
A Definitive Guide to Small Business Password Security
Small Business password security is a growing topic of concern and the risk of is only going to increase.
Passwords seem to be the curse of the current age and forgotten, or stolen passwords cause 100’s of lost business hours. This includes calls to support desks, reset password request emails and security code exchanges which just become draining.
The strain comes when timing is critical. A deadline to submit, pay, collect, arrange, or deliver often brings stress. This is particularly true when you’re locked out of a critical service. The last thing staff and small business owners need is more stress.
Other issues, such as connection to social and networking groups, are often key to business development. When lost or stolen passwords to these network services disrupt the days flow time-poor business owners just become exhausted. And not to mention the reputation of damage from a hijack.
As well, this is a problem for business community groups; there is the lost social connection and support for organisations. Consequently, businesses also lose potential opportunities when disconnected from these groups.
So, let’s look at how to improve Small Business password security.
Firstly we need to make it easier to remember and secure them by using the following:
- Single Sign-on Managers
- Password Vaults
- Browsers to remember Passwords
- Social media sign-on
- Simpler easy to remember passwords
There are a couple of strategies for managing Small Business password security, and the benefit depends on how many staff you have.
If these staff have access to confidential information or privacy services in your business, then a management tool is a better solution. Sometimes your IT Solutions company will provide a service or recommend a tool to help manage them. You need to be aware they may also have some commercial interest so these recommendations may not align with your business needs.
There are two types of password management tools: single Sign-On and Password Vault services.
Single Sign-On tools.
These are aimed at larger enterprise operations and might better serve business of a medium size, with 20 or more staff and/or with many locations. These usually have a dedicated IT department or use IT services management agreements, and the organisation will have a Digital Strategy and staff focused on security awareness.
The three best-regarded tools are:
- Okat; a flexible, straight forward tool usually used by companies with over 50 staff
- OneLogin; high user satisfaction scores, most users from education sectors
- RSA SecurIDAccess; high visibility in the security market with good management features.
Password Vault services.
These support a type of application sign on using many passwords generated by a vault application.
Users don’t need to remember these passwords. The vault manager does. These are presented to the applications login service.
Password vaults work like SSO services some times provide added value. This might be securing documents while others check for security breaches and provide alarms. In general, Password Vaults work with individuals and most offer the ability to organise users into groups and teams. Password vaults are cost-effective to set up for up to 20 or 30 team members and typical pricing models for a business start at 5 Users.
A key rule for each use is to remember the access code to the vault holding the passwords. And don’t forget this password as it is usually unrecoverable.
So what are other options for Small Business password security?
Managing passwords in your browser.
This is not a good option. There are no underlying security standards for commonly used tools. Chrome, for example, uses your operating systems host standards, which means you need to use other password policies to improve security and privacy.
Social Media login.
Social media login is a security risk. Facebook has made its universal login API to carry user profile information. This information transmits to other web sites, and on less secure sites, this can be used to sponsor invisible tracking and information collection.
A recent study done through sites supported by Princeton University found code able to scoop up user information undetected. This capability is on over 400 of the top 1 million web sites.
The risk to your business is like the data collection process used by Cambridge Analytica.
Using simple, easy to remember passwords.
Can these be secure? Firstly, let’s look at password lengths and the frequency that passwords should be changed. Recommended password lengths are usually 10 to 16 characters, and historically changes to passwords were often advised as monthly. However, both guidelines have shown to be of not much benefit and often cause the lost, forgotten password issues for support or reissuing requests. Therefore, these guidelines are changing.
Kevin Mitnick in Know Be 4’s demonstration video; shows a 26-character encoded and encrypted password. In this video, he demonstrated the possibility to crack a password in less than 24 hours. So, changing passwords frequently has little benefit if they are less than 26 characters. (In his demonstration it took less than 2 minutes)
So how to create a simple (easy to remember) password? It must be greater than 26 characters!
The strategy is to use a PassPhrase. These are easy to remember and, can easily be longer than 26 characters.
An example of a passphrase is
“Ev3ry Thursday we like to chase bats in the Park after dark#
The features of this passphrase are: Upper case, numeri’s and special characters, 62 characters, including spaces.
This phrase would not be easy to guess unless you have shared that this is what you do on Thursday’s. In addition, it will take more than 24 hours to crack.
So, what have we learned?
- Use a long Pass Phrase that will take more than a year to break down, if at all.
- Don’t change passwords frequently.
- In medium or large organisations, use an SSO or a Vault manager
- Don’t use social media to authorised login security credentials
What is the easiest digital security strategy?
Don’t use the same password across all the sites you access. Have passwords in classes:
- Class 1: for sites which have no financial or personal information; if broken into, will have no personal or business reputation impact. Use an easy to remember password that can be quickly changed if compromised.
- Class 2: for sites which may contain confidential data, like order details social contacts, accessing social media sites. I have several of these which are short PassPhrase passwords of around 30 characters — used for frequently accessed services.
- Class 3: for sites with financial or sensitive personal, business or client data like your CRM or business accounting. Long PassPhrase with multi-factor authentication such as SMS/email codes or Google Authenticator.
- Class 4: for bank account or other critical government sites. Use the secure Public Key Identification with a PIN that cannot decompose, which comes from your personal life. I have an ID from childhood that could not be processed out from something such as an anniversary.
Have a strategy based on the risk of losing everything.
Ask the question, what is the effect on my business, clients, brand, and financials for each service?
- Do I have a security profile statement for each service with a public security risk?
- Do my staff know their security risk to my business?
- Does my IT service provider know my security requirements, is it written down?
- Do I know what social media has my data?
The Australian statistics show that 67% of reported breaches to the Privacy Commissioner were username and password related! How many of you have received notices from social media “friends” losing control of their accounts? I’ve had several in the last few weeks.
My final suggestions for Small Business password security:
- remove old user accounts
- help protect users with awareness training
- adopt a password policy in your digital strategy
- be security aware
With the rising concern for Small Business password security, I suggest you take action and review your current practices as soon as possible. The reward will be peace of mind and a secure digital presence for your business now and in the future.
“The opinions expressed by Smallville Contributors are their own, not those of www.smallville.com.au"
SHARE THIS ARTICLE WITH LIKE MINDED SMALL BUSINESS PEOPLE