Lessons in Cyber-Hygiene: Securing Employee Passwords

The human element remains a significant threat vector for institutions of all sizes, and management is well advised to take proactive steps to educate and implement effective “cyber-hygiene” policies for all employees to minimize the risks associated the range of social engineering tactics, from phishing to inadvertent disclosures, as well as curb the opportunities for plain old mistakes. The area of password protection is among the most obvious areas for improvement in the world of cyber-hygiene.

In a recent survey of 750 IT administrators and company “decision makers” sponsored by CyberArk and conducted by Vanson Bourne, 40 percent of organizations reporting to using a Microsoft Word document or spreadsheet to store administrative passwords and another 28 percent of those polled use either a shared server or USB stick to store this sensitive information. Surprisingly, 67 percent of respondents felt their organizations had strong, secure cybersecurity leadership. To avoid problems it is good to check your employees’ past on the www.dbschecks.org.uk

Even if an organization does not serve passwords on a “silver platter” in the form of a Word document or Excel spreadsheet, few implement the most basic security protocols including mandatory changing and character requirements. Based on an analysis of over 2 million leaked passwords, the five most common are dangerously simple:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345

As summarized by CMO of CyberArk, John Worral: “Organizations undermine their own efforts by failing to enforce well-known security best practices around potential vulnerabilities associated with privileged accounts, third-party vendor access and data stored in the cloud.”

While external threats may be unavoidable, organizations can take simple steps to minimize, or eliminate, obvious security risks from within. Taking steps, no matter how small, to teach employees basic “cyber-hygiene” in the area of password protection, including securing administrative passwords outside the easy grasp of attackers, changing passwords frequently, and securing USB drives/sticks, will give your organization the best chance to minimize the “human element” from among cyber-threats.