Tags


Latest Posts


Latest Comments


Authors

Security for Life: How to Implement a Strong Password Policy

stuart-brown.jpg

Posted by |

Our Security for Life Campaign continues with the launch of our Business Security e-book. Covering topics from why computer security is important for your business to staff password policies, the e-book gives business owners a broad outline of the factors they need to consider when securing their business data.

The following extract comes directly from the Business Security e-book, which you can access in full here.

Password policies

If you want to secure your business computer network, a strong password policy is important. Your passwords control individual access to your network and your company data, so anyone accessing this network should have their own unique username and password. Not only do unique user IDs prevent unauthorised access to your network, they help you identify who is accessing what - should you have data compromised, the first thing you will do is check who from within your company has accessed it.

If you have a domain or Microsoft small business server, then the group policy here is the best place to define your password policy. However, if you don't have one of these, you'll need to define your own IT policy. Let's look at how that can be achieved.

Centralise your passwords

There are two schools of thought regarding passwords: have your IT department set the passwords and do not allow individuals to change them, or allow employees to set their own. Most believe the former is the safer, as employees will just choose '12345678' or 'password'. However, make a complicated password such as 3hg6ZwK, and your employees will be more inclined to break security protocol and write it down to remember it. Some choose a middle ground, allowing employees to choose their own passwords but setting strict parameters: e.g. they must be a certain length, contain upper and lower-case letters and at least one non alpha-numeric character.

Unfortunately, there really is no consensus on which method is the most appropriate - yet it is agreed that complex passwords using these kinds of parameters are the safest, so any employee-choice password policy should not involve a completely free selection.

Whatever method you choose, you need to make sure you have a centralised record of what all the passwords are, and ensure that an individual's password is required to access anything on the company network.

By setting up a unique user ID, you can also set controls on the types of changes users can make to their computers, including preventing amendments to the operating system or the downloading of particular file types. This will help you keep control on the security of your network.

Two-factor authentication

Two-factor authentication (TFA) is a form of security whereby any user is required to input two different types of secure information in order to gain access to a network. The username-password combination is augmented by an extra layer of security concerning something that only the individual would have - often taking the form of a physical token.

Modern banking groups utilise TFA when they issue users with hardware that generates a personal identification number for online banking access, and other companies introduce card readers and key fobs to their network access protocols for that extra layer of security, meaning access is only permitted when the user has something in their possession and remembers a piece of information. With the increasing prevalence and capability of smartphones, use of them as physical tokens of TFA is also likely to increase.

Change culture

Whatever passwords are set, it's important to put in place a system of regular change to all your account passwords. Experts recommend changing passwords at least every 60 days.

Comments

 

Post a comment

Comment submitted! Comments needs approval before being displayed.