I got a call the other day from a new employee at one of our clients who wanted her password changed. The passwords we assigned are random, so I recognize that trying to remember those is not easy. Unfortunately, she reminded me why we require our clients have a password policy. She requested that her password be the same as her first name. Now, that would take a hacker NO TIME to guess whatsoever, and even adding random symbols or numbers wouldn’t deter anyone looking to gain access to her system.
And let’s even rule out hackers. What if another employee logged onto her system simply by guessing her first name might be her password or accessed her email to send out awful messages to others? That last one actually happened to a client, though it wasn’t the result of a poor password. With passwords being the “keys to the kingdom,” it’s imperative that you don’t let your employees pick whatever is easiest for them to remember. That’s an easy way to get your systems act and sensitive information stolen. What’s easiest to remember for us is also easiest for someone to guess.
One note about hacking that I want to be clear on. As you may have noticed from all the breaches that have been reported lately, the best hackers don’t let you know they’ve gotten into your systems. There is no big pop up, no notice that files have been saved to someone else’s computer, and no suspicious activity (as far as you can tell). The hackers are just sitting there grabbing your sensitive information. If that has happened to Fortune 500 companies with dedicated staff, who do nothing but secure computer systems and networks, let’s be honest, what chance does your small business stand? Passwords are one of your first lines of defense. However, in client after client that we are brought into, their password lists make it all too clear that anyone trying to access their systems from the outside could very quickly luck into a password that would get them access inside the network.
One very simple way to help protect your systems is to have a password policy. This policy needs to be given to everyone in your company currently and emphasized to new employees when they are first hired. And it also needs some consequences behind if it is found to be violated. Don’t just assume your employees will automatically abide by it, because it will mean just a bit more work for them to stay compliant. But for far too long we’ve taken security for granted in small business, and we are paying a massive price already. So many small businesses are breached by hackers, but, because there aren’t any obvious signs right away, they don’t know it until something catastrophic happens. You think because you’re small your data isn’t valuable. But hackers know that your resources and technical knowledge is very limited, so you’re an easy mark.
Here’s what our typical policies contain:
– Your password must be a minimum of 8 characters, have at least one uppercase letter and at least one number or symbol.
– It cannot contain your name or birth date or a spouse or child’s name.
– Passwords must be changed every 90 days.
– You cannot use the same password for multiple services (e.g., computer login and your email).
– A lockout policy that locks a user’s account after 5 invalid login attempts. This prevents hackers from trying different passwords over and over again.
The best password is really a combination of several words, if the service you are using allows longer passwords. This combination is even better than something complex that is tough to remember. So, for example, Moonlightmakesmeveryhappy is a better password than Zolf$8072.
And to keep track of all these passwords, your employees will need a password manager (not sticky notes or a physical notebook at their desk!). There are several good ones out there, but we have one that allows you to share passwords amongst your team members, if needed, and track to make sure that passwords are in compliance. And it’s very affordable compared to other solutions out there. Best of all, your employees get easy to use software to manage their passwords that will let them fill in their login information with just a click on most websites.
With all the threats out there, make sure you take these steps now to start securing your sensitive information. Implementing a password policy is a simple step your firm can take to keep sensitive information out of the wrong hands. If you’d like some help with this, reach out to us. We’re here to make sure that your firm has the necessary policies in place to keep your computer systems and network secure.
Parkway Tech offers technology management, help desk services, and strategic IT consulting to law firms and legal practices across North Carolina.
We offer a completely customized technology support services for large and small law firms, law offices and law practices.