7 Tips for Keeping Kids Safe Online for #CyberAware Month

by , on


For National #CyberAware month, we are offering 50% off the Keeper Family Plan with code “NSCAM”.

Click here – hurry, this deal will end soon!

Today’s youth are often called “digital natives” because they are so comfortable with living online. But much as we may admire their proficiency with their devices, we shouldn’t forget that security is probably not top of mind.

Innocent young minds don’t grasp the concept of identity theft or understand the consequences of a ransom attack. In recognition of National Cyber Security Awareness Month, here are some things you can do to keep them – and your entire family – safe.

Keep family computers in an open area. This allows you to monitor what’s on the screen and to check back on activity later. In particular, keep an eye on chat sessions, which is where predators lurk.

Be sure security software is installed and updated. At the very least, you need anti-malware and anti-spyware packages. A password manager is also a good idea for creating and saving passwords that can’t easily be compromised by hackers.

Give children their own accounts on shared computers. This enables you to limit the software they can access and to define unique controls on each account.

Don’t permit kids to download and install software without your oversight. Free software downloads are a primarily medium for spreading spyware.

Use parental controls in web browsers. These enable you to block unsafe sites, disable potentially malicious scripts and review browsing history to see what your kids have been doing when you weren’t watching. Here is a good guide to implementing parental controls in major browsers.

Have a talk. Remind kids of a few basic protections. Never click on unknown links. Never open email attachments. Never respond to chat messages from people they don’t know. Never “friend” strangers. Don’t bully others and alert parents if they suspect they are the targets of a bully.

Have logins to kids’ social accounts such as Facebook, Snapchat and anywhere else private conversations go on. This not only enables you to keep an eye on what they’re doing but to spot malicious activity by others that’s directed at them.

For additional protection you can install activity monitoring software that keeps detailed records of everything that happens on your computer. Examples include Cyber Patrol, Cybersitter, Net Nanny and SpyAgent. But if you follow the advice above, you probably don’t need additional protection.

Above all, stress to your children that your monitoring and cautionary steps are for their protection. Even if they don’t understand the risks that are out there online, they know that you have their best interests in mind.

Q&A with Benjamin Caudill: Five Most Vital Cybersecurity Considerations for the SMB

by , on


Benjamin Caudill – a veteran penetration tester - has broken into organizations, large and small, just about everywhere. In doing so, he has exposed security vulnerabilities and numerous pathways for hackers to do their worst to unsuspecting businesses.

Caudill, who was dubbed a ‘deadly force that could easily penetrate and exploit a firm’s most private files’, was always on the right side of the law – a good guy whose cyber hacking is intended to strengthen cyber defenses. Today he is also founder and CEO of Seattle-based Rhino Security Labs, where he still does penetration testing as well as application security assessments.

We recently asked Caudill to list the most vital cyber security considerations for the SMB, based on his extensive hands-on experience. Here’s what was said.

Ignore the basics – at great risk. With security certainly in the SMB, probably 80% of the attacks and threats can be mitigated by 20% of the protections that should be in place. These aren’t the sexy ones either. They are the basics, like password control, patch management, defining policies, educating all employees about being cautious about opening emails they can’t identify, and don’t make your WiFi public. These basics are usually inexpensive, even free at times. Attending to basic security principles will make it very hard for the every-day hacker. Many of the successful attacks we have analyzed result from one or more of these basics simply not being followed or in place. Don’t be overwhelmed as an SMB when you read about the really big guys getting breached. They have their own problems. For the SMB, basics can and do make a big difference.

Attackers follow a path of least resistance. If you leave a door open at home, it’s not like it takes a lot of sophistication to break in. Attackers are very opportunistic. Valid email addresses, a company website, and seemingly common things can be used for malicious purposes like hosting illicit content or sending spam emails. I see it very commonly from start-ups to big companies that the sense is ‘well we aren’t a hospital or credit card company and therefore who’d want to hack into us?’  In the huge Home Depot breach a couple years ago, one famous quote attributed to company managers when employees asked for advanced security training was, “We sell hammers.” But what was stolen was data on 56 million credit cards. That mentality is seen in all sorts of companies, certainly in SMBs.

Security goes beyond the technology. In reality, technology is a minority of what the overall cyber security focus should be. People, process and culture are what matters most. We worked with a large start-up whose culture was very open in every sense. Our penetration testing showed they were just Swiss cheese when it came to information security. They pretty much had all the technology in place. But you could walk in off the street and just about stroll into the data center. There was no badging, no questioning of people. Technology was not the problem. It was their culture as it pertained to security. Do you in the SMB know what people, based on their specific roles, should have access to what data? We see that many if not most security problems are people or process problems. Employees must understand why security is mission-critical, and also understand their specific role in promoting it. That kind of message has to come from the top.

Know your data. We see situations where all data is protected equally, and that is not right. If you don’t know the value of your data and what is most valuable, you won’t protect it properly. As the saying goes if you protect your toothbrushes like you protect diamonds, you are going to lose a lot more diamonds! Also you must know where your data is going. Are you sharing credit card information with an overseas partner? Do you know what their security protocols are? What governing body there is in charge should something go very wrong with that data? There is an important data sensitivity criticality process that needs to be followed, and all too often we see this acknowledged only after a major breach.

Don’t go it alone. We typically rely on specialists for everything from building houses to doing our taxes. Doing security alone is risky. Yes the IT department can take care of firewalls and some intrusion prevention measures. But for total cyber security the SMB needs third party specialists. They have the resources, people and experience to analyze and advise. Look for a partner that really puts two-way communications at the forefront of your relationship. Don’t worry about vertical market expertise, which is maybe 5% of the security equation. And talk to your peers to see whom they like.

Password Management Is Much More Than an IT Problem

by , on


Two years ago the CIO at Quest Credit Union  had no problem extending responsibility for password management beyond just the IT department. That’s because C-suite executives were using a password management solution for personal use. Thus getting the the organization aligned with an enterprise password management solution was almost automatically a shared responsibility.

There are many compelling reasons why small and mid-sized businesses (SMBs) absolutely must make password management an organization-wide effort, not just an issue delegated to IT. Unfortunately in many SMBs today, this responsibility is left entirely with IT. In doing so, these organizations run the greater risk of failing to build a risk-aware culture across the organization – an effort aimed at ensuring every employee knows exactly why cybersecurity is mission-critical today.

The landmark Ponemon Institute State of Cybersecurity in SMBs, which polled some 600 SMBs, found that 71% of respondents emphasize password protection and management as important. Surprisingly in 60% of these businesses, IT has no visibility into employee password practices. In SMBs that do have password policies, 65% do not strictly enforce them.

Could the reason be that IT alone does not have the weight or influence to affect password policy enforcement?

A recent report from PwC piles on even further. In its Global Economic Crime Survey 2016, PwC says that all too often non-IT executives are more than willing to pass the buck to IT when it comes to cybersecurity in general, of which password management is a key element.

This is wrong, PwC maintains, adding that responsibility for all aspects of cybersecurity “must be embedded within an organization’s culture.” Non-IT executives must “incorporate cybersecurity into their routine risk assessments and communicate the plan up, down and across organizational lines, ” PwC states.

Juliet Maina, an attorney who frequently writes on cybersecurity and the law, suggests that non-IT executives may put their organizations at risk if they cannot show a concerted effort to involve themselves in cybersecurity strategy, including password management. “Cybersecurity is and needs to be acknowledged as an executive level concern,” she notes. “As the leader of a company, one ought to be aware of the defense strategies that are in place, and ensure that holistic approaches are taken towards ensuring security and the protection of investments. This top-down approach is crucial for success.”

With password management being a key element of an overall cybersecurity strategy, what can be done in practical terms to begin to shift the responsibility for such strategies to a broader coalition of C-suite managers? As it turns out, IT can take the lead in this important, company-wide effort.

Educate, don’t scare. Many C-level executives shun cybersecurity involvement and responsibility because they don’t fully comprehend the supreme value of data in their own organizations – and therefore the dangers of a breach or attack. It’s easy to see why matters like data compliance and regulation might not interest them. Your job as the IT leader is to put those matters in proper context. Non-compliance, breaches and attacks have very real and very costly consequences. The PwC report shows that only 37% of organizations have a management-backed cyber incident response plan in place. Now is the time to distinguish your SMB from the majority of companies where senior management is a silent partner in password management and cybersecurity.

Cybersecurity is mostly about people Ask most C-level SMB executives if their companies are protected and they’ll likely answer, “Sure. We got firewalls and antivirus stuff.” As the IT leader you know the reality is that it is human error, or deliberate acts by employees, that are at the root of cybersecurity challenges. Getting senior management firmly behind a comprehensive password management strategy is one of the fastest ways of reaching virtually every single employee with a powerful, unified message that cybersecurity is everyone’s responsibility. When senior management endorses and funds such a password management strategy, every worker becomes responsible and accountable for cybersecurity.

Cybersecurity is not a one-off. It is one thing to get senior management involved in a password management and general cybersecurity strategy, and another to keep them involved. That’s why part of the education of the C-suite is the message that security is an ongoing, evolving endeavor that needs regular review meetings. These are best led by IT leaders, who are well suited to put changes to the threat environment in concrete business terms. It is this periodic engagement with senior management that can ensure password management and cybersecurity is never again considered ‘just an IT problem.’

20 Fascinating Facts about Passwords

by , on


1) These five user passwords accounted for 3.2 million of the 130 million accounts that were stolen in the Adobe hack of 2013: “123456,” “12345678,” “Password,” “Adobe123” and “12345678.” source

2) An analysis of 11 million stolen passwords for cloud services conducted by Skyhigh Networks found that just 20 passwords constitute 10.3% of all passwords in use.

3) The minimum password length experts now recommend to avoid being compromised by brute-force cracking is 13

4) In 2012, a password-cracking experts unveiled a five-server clustered computing environment powered by 25 graphics cards that could cycle through 350 billion password guesses per second.  That means it could try every possible Windows passcode in a typical enterprise in less than six hours. There is no record of anyone building a faster machine since.

5) About 40% of organizations store privileged and administrative passwords in a Word document or spreadsheet.

6) It would take a typical brute-force password cracking program 12 years, four months and 16 days to unscramble the random eight-character password “z7S69s@9.” Source

7) The same password would have taken a cracker built with 1990 technology 6,495 years.

8) In 2020 it’ll take about 9 years, six months and 18 days.

9) Experts believe a quantum computer will be able to do it in less than five seconds.

10) When people are asked to include a number in a password, the majority simply add a “1” or a “2” at the end.

11) Two-thirds of people use no more than two passwords for all their online accounts. Source

12) The top 10 most-used password list has barely changed in the last five years.

13) Experts says a great technique for creating a secure password is to use the first letter of each word in a phrase (esagtfcaspitutfloewiap). Mixing in a single random symbol (!*$@) dramatically improves security.

14) Thirty percent of phishing emails get opened. Source

15) Nine out of 10 phishing emails carried ransomware in March, 2016. Source

16) Many experts now believe that frequent password changes actually worsen computer security because people tend to choose minor variations of their current passwords so they’ll be 17 easier to remember.

17) This is a list of the 10,000 most frequently used passwords. If any of yours are on it, your account will be compromised in seconds by any of the most common dictionary-based cracking tools.

18) Retail was the most-targeted industry for phishing attacks in the first quarter of 2016 by more than a two-to-one margin over any other industry. Source

19) An eight-character password using only upper- or lower-case characters has 200 billion potential combinations. Source

20) An eight-character password using a combination of upper- and lower-case characters has 53 trillion billion potential combinations. - Source

Proposed New York Cybersecurity Rules Merit Our Attention

by , on


Regulators in New York State are proposing tough new restrictions on banks that could require them to spend millions of dollars on cyber security protection. We recommend you keep an eye on this proposed legislation in case it becomes a model for other states and industries.

Among the measures in the proposed regulations, which are open for public comment until Nov. 13, are requirements that banks hire a chief information security officer and implement technology to detect cyber intrusions and protect customer data. The proposal contains required minimum standards and allows companies to assess their own risks to some degree. One thing that will get the attention of top executives is that board officers or senior compliance officers will be required to certify the controls are adequate, implying that they may be personally liable if they aren’t.  

The proposed regulation by the New York State Department of Financial Services (DOFS) doesn’t say how the rules would be enforced or what the penalties would be, but it notes that regulated entities “will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.” The annual re-certification rule indicates that regulators are taking this initiative seriously.

Why should you care, particularly if you aren’t a New York-based financial firm? There are several reasons:

  • The DOFS is responsible for more than 1,000 New York-based banks, insurance companies and other financial services companies, including some of the largest financial firms in the world. It also regulates several large foreign banks, including Deutsche Bank and Barclays. Some of these companies are global in scope, and it’s a safe bet that the security policies they adopt at the corporate level will trickle down to subsidiaries in other regions and industries.
  • By making board-level officers directly accountable for security practices, New York regulators are attempting to raise security awareness to the highest levels of the organization. What happens in banking will impact other industries as well, particularly since many directors serve on multiple boards.
  • The DOFS didn’t create this proposal in a vacuum. Regulators took pains to point out that they solicited input from more than 200 regulated banking institutions and insurance companies. It also met with a cross-section of those companies, as well as cyber security experts, to determine the most effective course of action. Three reports resulted, which you can find here.

Not everyone is thrilled with this proposal, and there’s no guarantee it will survive in its current form. But the task of implementing substantive change in the way corporations secure customer data has to begin somewhere, and lower Manhattan is a pretty good start. If these regulations are effective in reducing the incidence of breaches at financial institutions, it’s like other industries will take note as well.


How Password Crackers Work and How to Stay Protected

by , on


Cracking a password may seem like a next to impossible task, but you’d be surprised how easy it can be. There are dozens of password cracking programs on the market, each with their own special recipe, but they all basically do one of two things: create variations from a dictionary of known common passwords or attempt every possible combination using a method called a brute force attack. Let’s look at how each technique works and how to protect against them.

It’s important to understand at the outset, that professional password crackers aren’t looking to log in to your PayPal account. That process is slow to begin with, and most services will lock out repeated login attempts anyway. Rather, the pros work against password files that they download from breached servers. These files are usually easy to access from the root level of most server operating systems or are maintained by individual applications. These files may be protected with weak encryption algorithms, which are not much of an impediment to the determined hacker.

Once criminals obtain a password list they can take as many shots as they like to break it. Their goal generally isn’t to crack an individual password, but to run tests against the entire file, knocking down their targets one by one. Modern graphics hardware makes this incredibly fast. For example, some commercial products can test trillions of passwords per second on a standard desktop computer using a high-end graphics processor.

This table of password recovery speeds is truly scary. It shows that a seven-character password composed of upper and lower case letters and digits has 3.5 trillion permutations. While that may sound like a lot, today’s speedy desktop computers can test all of them in an hour or two. An engineering workstation, or several PCs strung together, can finish the task in 10 seconds.

Let’s look at the two most common password-cracking techniques.  

Dictionary Crack

This technique uses lists of known passwords, word list substitution and pattern checking to find commonly used passwords, or those that are discoverable with a bit of personal information. It isn’t difficult to find lists of compromised passwords. Sites like PasswordRandom.com publish them, and much large lists are available on the dark web at little cost. A criminal can probably unlock 10% to 20% of a password file using just the 10,000 most common passwords. In fact, it has been estimated that about 75% of online adults have used one or more of the 500 most popular passwords.

After decrypting the password file, a dictionary attack uses text strings and variations thereof to test different combinations. For example, many people append numbers to their names or user names, which may be stored in plain text. If a user named Robert has the password “Robert123,” a dictionary attack will figure that out in seconds. The software simply cycles through every possible combination to identify the ones that work.

If a little information is known about people in the database, the job is even easier. For example, people frequently use the names of children, addresses, phone numbers, sports teams and birthdays as passwords, either alone or in combination with other characters. Since most people append characters to the end of the password, it’s easy for dictionary cracks to cycle through all of those likely possibilities. Social media is an attacker’s dream. People freely post personal information in their profiles or tweet repeatedly about the sports teams or celebrities they follow. These are natural paths for a dictionary crack to pursue.


Brute Force Crack

This is just what it sounds like: a technique to reveal those stubborn passwords that can’t be unlocked by a dictionary. Today’s multi-core processors and graphics processing units have made brute force tactics more practical than they used to be. Machines that can be purchased for less than $1,000 are capable of testing billions of passwords per second. Short passwords are easiest to guess, so attackers typically use brute force tactics to unscramble the five- and six-character passwords that didn’t yield to the dictionary approach, a process that might only take a few hours. For longer passwords, brute force and dictionary techniques may be combined to narrow the realm of possible combinations. Some brute force cracking software also uses rainbow tables, which are lists of known codes that can sometimes be helpful in reverse-engineering encrypted text.

How vulnerable are password files to brute force attacks? In 2013 the tech news site Ars Technica gave an editor who had no experience with password cracking a list of 16,000 encrypted passcodes and challenged him to break as many as possible. Within a few hours, he had deciphered nearly half of them. The same list was then given to some skilled hackers, one of whom cracked 90% of the codes in about 20 hours.


Some Good News and Some Bad News

If some of the statistics cited above are intimidating, rest easy. The biggest problem with password protection is that many people don’t use strong passwords. The laws of mathematics dictate that longer passwords are harder to break than short ones, and passwords that contain random combinations of characters are more secure than those that conform to a known pattern. A 13-digit password that mixes alphanumeric characters and punctuation systems is considered impractical to break with today’s technology.

Unfortunately, few people can remember a random 13-digit string of characters, much less multiple strings for different logins. Equally unfortunate – from a security perspective – is that computers are getting faster and cracking algorithms are getting better. Five years ago, an eight-digit password was considered strong enough. Five years from now, 18 digits may be too weak.

This is where password management software is valuable. Password managers store passwords of any length and can regularly generate new passwords without the user having to bother to remember them. They can also be protected by two-factor authentication, which is considered to be almost unbreakable in any context.

By the way, in case you’re wondering why password-cracking programs aren’t illegal, it’s because there are perfectly valid and legal reasons to use them. Security professionals employ these tools to test the strength of their own software, and password crackers are widely used by law enforcement agencies to fight crime. As with any technology, these tools can be used for evil, as well as for good.

5 Cybersecurity Tips For Small and Medium Sized Businesses

by , on


Today, the attention of both IT and business managers in organizations of all sizes is fixed on cybersecurity. The reason is simple: Absolutely no organization is immune to cyber attacks in an ever-growing threat environment.

This is particularly true for SMBs. A recent major study of some 600 SMBs unearthed startling findings that more than half of them had experienced a cyber attack in the last year. The origins of the attacks are many and varied, with Web-based attacks, phishing and general malware topping the list.

Managers at small businesses cannot be blamed for feeling helpless against the threats at a time when huge corporations and even government agencies cannot protect themselves. But the truth is, a few simple, common sense tips can and will go a long way to protecting your small business from attacks that are inevitable.

  1. Deploy a comprehensive password management solution. This has to be high on the to-do list, if not at the top. Why? Because all your employees use passwords. And research shows that, left to their own devices, most employees will do a poor job of proper, effective password management, thus leaving themselves and the business open to attack.

For example, employees routinely use the same password for multiple online accounts. They also use simple easy to remember passwords that are very easy to hack.

Carefully chosen, a password management solution should provide IT and/or the business owner visibility into the password habits and practices of employees.  More importantly, the solution will help enforce correct password hygiene while improving employee productivity.

  1. Training is often the missing link. Cybersecurity awareness training is extremely effective in today’s threat environment. There is no excuse for omitting it in a small business because there are fewer employees to train. Training will educate employees on the most common vulnerabilities and attack points. Education should always carry a message of personal accountability so that everyone realizes they have a role to play in securing data and information assets.
  2. Cybersecurity is more than an IT issue. Security is more than just protecting computers and databases. It is about protecting the business. While one person should be responsible for security decisions, delegating cybersecurity in a small business to IT without company-wide support is often a mistake.

It is the business and financial leaders that know what data needs the most protection. Seen this way, cybersecurity is a risk management issue which IT can help address as part of a coalition of company leaders. Security should be tied to business objectives. All this and more is outside the usual purview of IT by itself.

  1. Data, data, who’s got the data? How can any business know if its data is safe if it doesn’t know where data resides and how it is stored? That is often the case today, where various third party and cloud providers store business data for their clients. Always ask, “Where will my data be hosted? Who has access to it? What monitoring is in place to alert me of a breach or unauthorized use? What safeguards are in place to protect me against potential rogue employees at your site?” Also carefully vet the provider’s data encryption policies and procedures. And be sure all your data is encrypted before it is stored in the cloud or anywhere online.
  2. Hackers take the path of least resistance. Often times the path of least resistance for hackers are employee-owned mobile devices. Don’t allow any unencrypted data on mobile phones, whether company-owned or BYOD. Device-based security policies, like those insisting the encryption be enabled at all times, can prevent illicit network access.

Remember: Solutions for complex security challenges don’t have to be complex.

Building a Strong Cybersecurity Posture with Personnel, Technology, and Education

by , on

Written by Guest Blogger, Patty Brogdon


When it comes to cyber threats, it is no longer sufficient to throw technology at the problem, as had been the practice a decade ago. Organizations today are increasingly aware that combining a multi-tiered approach to security is the best bet in keeping their critical assets protected against theft. Here are the top 3 initiatives to keep in mind while building your organization’s cybersecurity posture.


Hiring and retaining personnel skilled in cybersecurity is one of the top drivers for most organizations today.  In fact, C-Level IT executives reported that “security is among the top technology initiatives driving IT investment (29%), nearly equal with cloud computing (30%) and big data/business analytics (27%) according to the 2016 State of the CIO report from CIO.com.

Since the industry is predicting a shortage of IT security personnel, it is imperative that an organization focus their efforts on hiring the best and the brightest – but that may be a daunting feat. According to Computerworld’s 2016 IT Salary Survey there is a severe talent shortage: 23.2% of security pros (12.3% of all IT pros) said that they think the IT talent shortage is the biggest challenge facing the IT industry. Taking steps now to focus on attracting and hiring the best security personnel could go a long way in helping your security efforts down the road. And once you attract that top talent, be sure to pay them a salary commensurate with what the industry is paying.


Technology in the security space is one of the fastest growing sectors, as new technology is constantly being pushed out to address the latest threat. But be careful here – you don’t want a “patch-work quilt” for your cybersecurity posture; i.e., don’t just throw technology at a problem, make sure that you take a holistic approach to the technology you deploy.

For example, upgrading your traditional firewall with a Next Generation Firewall (NGFW) that has IDS/IPS, malware detection, and sandboxing might be a more strategic move than adding additional equipment to do those functions.


Educating your employees on security best practices is vital to the health of your organization’s security posture. Yet, most organizations do not have programs and training in place to educate employees on a consistent basis. This can (and does) have dire consequences.

Phishing attacks, where a hacker disguises themselves in an email designed to look legit, enticing a user to click on a link that contains malware, are numerous. And, they aren’t going away any time soon – simply because they work so well. According to the Ponemon Institute’s 2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB), phishing/social engineering (43 percent of respondents) were the most common type of cyberattack.

Educating employees and users on password best practices is another significant way you can protect your organization from malicious intruders. According to Verizon’s 2016 Data Breach Investigations Report (DBIR), “63% of confirmed data breaches involved exploiting weak, stolen or default passwords.” It is easy to see why – most users are so overwhelmed by the many passwords they must keep track of on a daily basis, they choose something simple that they can remember. And simple means hackable.

While educating users on proper password hygiene is a must, you can supplement this education and training with a password management solution.  Password management solutions can help to enforce password policies, improve employee productivity and overall enhance your businesses security posture.

10 Reasons Why Password Management Is Essential for Any Size Business

by , on


Password management software is great for consumers, but why is it essential for businesses?  The answer is simple. Knowing that a single breach of a corporate network can have consequences that affect the entire business and everyone who works for it means password management is more important today than it’s ever been.

Password management software stores passwords securely so users don’t have to worry about remembering them. Here are 10 reasons why every business should make this software part of its security toolkit.

  1. People won’t use strong passwords voluntarily.

No one likes to create new passwords, so people tend to go with simple options that are easy to remember. Unfortunately, that also makes them easy to guess. Today’s password-cracking software quickly cycles through common patterns and can even be customized to incorporate known information about the user. Passwords that were considered secure five years ago are easy targets today.

  1. People aren’t good at creating strong passwords.

A password isn’t considered secure unless it is at least 12 characters long and contains a random combination of numbers, symbols, uppercase letters and lowercase letters. Few people have the patience or skill to create unique passwords of that complexity for each account, particularly if they have to memorize them. Password managers have algorithms that automatically generate secure passwords and store them securely so users don’t have to remember.

  1. People use the same passwords repeatedly.

This is an understandable but also a dangerous practice. No one can remember dozens of unique passwords, so people tend to use the same ones again and again. That can be catastrophic in a business environment. It means that a single password compromise can open the gates for intruders to log on to multiple services, stealing information from each one along the way. Using a password management program ensures that users can easily apply different passwords to each service thus limiting the damage should any one of them be compromised.  In addition, password management solutions can monitor password usage and alert management and the employee when good password hygiene is not being practiced.

  1. Lost passwords are a major time sink for help desks.

Experts recommend against storing passwords in unencrypted files or on paper notes, which means that users must commit them to memory. Not surprisingly, people forget. That’s why Gartner has estimated that up to 50% of helpdesk calls are for password resets at some companies, with an average cost-per-reset of about $70, according to Forrester Research. You can imagine how quickly those costs add up.

  1. Password changes are easily recorded.

Many online services ask their customers to regularly change their passwords. This is a sound security practice. Unfortunately, it also creates the need for users to note those new passwords somewhere. Some will invariably fall through the cracks. Password managers help employees manage password changes and updates.

  1. Browser-based password management isn’t secure.

Most browsers today have a built-in basic function that offers to remember passwords. The problem is that browser-based solutions typically don’t have a strong focus on security. Without a password management policy, many users will default to using whatever the browser offers, leaving their credentials effectively out in the open.

  1. Password managers protect against phishing attacks.

Phishing attacks are one of the most effective ways cyber criminals steal login credentials. Phishing emails that appear to come from legitimate services, but that actually direct recipients to bogus login screens that are set up solely to capturing their passwords. Most people are prone to phishing attacks, but password managers aren’t. If the domain name doesn’t match the record within the password manager, it won’t serve up a password.

  1. Password managers can sync to the cloud.

People need to login to services from a wide range of devices, including desktop computers, phones, tablets and even public computers. There is no reliable, convenient or secure way to carry around those credentials other than by using password manager. Quality products provide apps for all major mobile platforms as well as desktop and website access.

  1. They support multi-factor authentication.

Two-factor authentication (2FA) requires users to supplement passwords with a second form of identity, such as the answer to a challenge question or a PIN code sent to their phone. Leading password managers provide various two-factor authentication methods, which will add an extra layer of protection for everything stored in your password manager.

  1. You can monitor compliance and spot problems.

The best password policies in the world are of no use if people ignore them. Enterprise password management systems give IT departments visibility into their employee’s’ password practices so administrators can identify and resolve non-compliant behavior. A single compromised password can lead to disaster. With audit and reporting controls, that need never happen.

Consider how many of these scenarios apply to your business.

4 Best Practices to Strengthen Security Through Employee Awareness and Education

by , on

4 Best Practices

Security managers clearly understand the consequences of poor information security practices, but they often find it difficult to change employee behavior.  Employees typically see security as a nuisance and as a result take the path of least resistance.

Making security a top of mind issue for employees involves a combination of education and behavior modeling. Here are some approaches you can use to raise awareness.

  1. The media reports on major breaches almost daily. Make sure your employees see these reports and understand the consequences of poor security practices. Publish a regular email newsletter listing the most recent incidents and include advice on good security practices.
  2. Communicate the importance of security in as many vehicles and as many times as possible. Send a quarterly reminder under the name of your CEO or CIO. Post best practices and lists of the worst passwords in common areas like coffee stations and near restrooms.
  3. Top executives set the standards for their organizations, so make sure they are on board with your security awareness initiatives. Annual reports and meetings on the health of the business should include updates on the company’s security progress. Ask top executives to kick off your security seminars.
  4. You should consider rewarding employees who attend security training, change passwords when requested, and share news and advice on your intranet. Financial rewards are not necessary; a simple certificate or newsletter recognition is enough.