May 2017: In light of the recent WanaCrypt cyber attacks affecting businesses across the UK and the world, I’ve updated this post. It now reflects my most up to date advice for small businesses to keep their details safe online. Whilst the WanaCrypt attack is a form of ransomware and likely triggered by opening a malicious email, it’s a reminder to us all that good cybersecurity practice – including how you manage usernames and passwords – is something the applies to everybody. Even you.
Innocent-seeming emails can contain infected file attachments, links to websites hosting malicious code that can execute in dangerous ways, and phishing scams designed to obtain your credentials in order to impersonate you, your business and potentially steal or damage your data.
In the last few weeks, I’ve seen a flurry of activity about weak passwords, the top silly passwords from 2016 and all sorts of advice about how to keep your identity safe online. I also attended an event focused on cybersecurity and was amazed at the number of small businesses who’d fallen victim to some kind of attack (typically ransomware). In this post, I’ll cover my top 5 password security tips to help you and your business stay protected.
Password Security Tips
5. Pick a good password
I say good rather than strong because when people think of strong they default to difficult-to-remember and that leads to people doing silly things like writing their password down somewhere. Not good for password security! A good password is one that’s easy for you to remember, distinct from other passwords, difficult for attackers to guess and one that you won’t feel the need to write down.
There are some great online guides around that talk about how to make a good password from the BBC’s guide on using your favourite song lyric, to how to generate a super secure passphrase with a simple six-sided dice.
4. Never write your password down
It might seem obvious, but if you need to write your password down you really need to go back to #5 and pick a good password. Offices are littered with sticky notes containing usernames and passwords, Word documents on servers with everyone’s details, etc. It might seem convenient to have them all written down somewhere “just in case”, but it’s a huge password security risk and something many auditors pick up on immediately.
You might be thinking that an attacker wouldn’t have access to your desk or the file on your shared drive, so how would they be able to use that information?
Physical access is one thing, but if you have your password stored on your computer and you fall victim to a malware attack or your credentials are phished, etc. those files can be compromised and could lead to your digital assailant getting access to more of your data that they’d otherwise get.
3. Tell nobody. Mum’s the word.
Nobody ever needs to know your password. Not even your best friend. If you’re ever asked for it, alarm bells should ring and you should always decline and ask for more information about why the person is asking.
IT administrators do not need your password to conduct their tasks – they can achieve what they need with the tools they have as administrators. Likewise, service providers such as your bank, favourite online shopping website, or social network never need to know your password. If you receive any kind of email, phone call, letter or any request to provide details of your PIN or password then always err on the side of caution and say nothing.
But hey, you’re running a business. You need to get things done. You need to be able to access a colleague’s data (such as their email). If this sounds like you, try utilising the features of the technology to enable this, rather than sharing usernames and passwords.
For example, Office 365 allows you to delegate access and create shared mailboxes so that users can have common access, such as in the case of an assistant managing the mailbox of their director. Also, Microsoft Azure AD allows you to provide access to SaaS applications (such as the company Twitter account) without needing to share passwords. It’s secure, safe, and simple.
2. Turn on multi-factor authentication (where possible)
Many services now support what’s known as “multi-factor authentication”, or “two-factor authentication”. This means something in addition to your username and password. It’s usually a code generated by an app on your smartphone or sent to you by text message to ensure that it’s definitely you accessing your account. The benefit is that even if someone steals your password they won’t be able to sign in as they won’t be able to generate the unique code known only to you to complete any attempt to sign in.
Facebook, Twitter, Microsoft, Google, Apple and many many other service providers support these features. If you haven’t turned them on already you should go do it NOW! Or maybe after reading the rest of this post.
With the rise of fingerprint readers on smartphones, it’s even easier to approve login requests – you just need to swipe your phone and you’re in!
1. Consign “I forgot my password” to the history books
Often the number one request into IT helpdesks is to reset a forgotten password. Even if the other four points above have been followed, you’re only human and it’s normal to forget things. Having been the guy responsible for resetting passwords for people in the past, I can tell you that being able to give people the power to reset their own password is like a week of Christmas Days all at once.
Self-service password reset tools, such as those offered by Microsoft’s Azure AD Premium service, allow users to set some challenge questions (such as your mother’s maiden name, the city you were born in, etc.) that they can answer at any time in order to regain access to their accounts. There’s no need to phone anyone or write anything down, and it works any time of the day or night. All you need is access to the Internet through a web browser; and the answers to your questions, of course!
0. Only use trusted devices to access your stuff
You’ve probably got at least two devices that you use to run your business: a laptop and a smartphone. Maybe you’ve got a tablet and a desktop computer, too. You’re logging into your stuff on everything because it’s convenient, and who could argue with that?
When you’re using your devices, you’re in control. You know if they’re up to date, you know what software is installed, you know who else has had access. The same isn’t true for somebody else’s device. Before you log in on a different device give a thought to whose it is, whether it’s secure, and whether you trust the owner. Never save your password on shared or public devices, or on a device that isn’t yours. This is because there may be malicious software running on the device that is capturing your credentials and leaving you vulnerable to a cyber attack.