9 Password Security Policies For SMBs

Does your company have strong password practices? Heres expert advice on how to help SMB employees minimize risks.

10 Important Cloud Apps For SMBs (click image for larger view and for slideshow)
A state-of-the-art security system wont much matter if a hacker gets a hold of an employees password. Thats much more likely to happen if you take a laissez-faire approach--or none at all--to creating and protecting passwords.
Small and midsize businesses (SMBs) that struggle with
information security
because of resource constraints have particular reason to pay attention: Smart password practices require next to no budget. They dont need to take up much time, either, especially once your policies and procedures are in place.
Password policy is something thats often overlooked, but its an important part of keeping secure in an online world, said Morgan Slain, CEO of
SplashData
, in an interview. Its something that SMBs can implement pretty easily.
Here are nine steps toward safer, stronger passwords--and toward keeping them that way--both in the real and mobile office.
Refresh the Fundamentals
1. Use complex passwords.
Whether youve been flying by the seat of your pants or are a full-fledged security wonk, go back to the basics. Those are things that everyone tends to slack on, Slain said, because ignoring the obvious steps is easy to do.
[ Some lessons are learned the hard way. Read
Zappos Breach: 8 Lessons Learned
. ]
The first of those steps: Use complex passwords. That means a case-sensitive combination of letters, numbers, and special characters--at least eight in total. Because complex can sometimes mean easy to forget, Slain suggests using memorable phrases broken up by spaces, special characters, and/or numbers. Those can create pretty robust passwords that are a lot easier to remember, Slain said.
2. Dont reuse passwords.
This ones a must, yet it remains a common danger. Employees that use the same password across multiple systems--often both professional and personal--to keep things simple can turn a minor, isolated issue into a major security breach. Slain points to the recent
Zappos case
that exposed external
customer passwords
as an example.
Unique passwords help stop the bleeding much faster if a password is leaked or stolen--otherwise access to a Twitter account can suddenly turn into bank accounts, health information, customer databases, and other sensitive areas. The bare minimum practice, Slain said, should be to not re-use credentials for sensitive applications such as financial information across less sensitive--and often less secure--areas such as a blog publishing tool.
3. Change passwords regularly.
Its the last piece of the holy trinity: Change your virtual locks regularly to further minimize risks. Slain recommends updating credentials at least every 60 days; better yet, do it every 30.
Go Beyond Basics
4. Double-down on email accounts.
Slain thinks too many SMBs get lazy with their email passwords, leading to larger-scale problems Those are the holy grail for thieves, he said, particularly for online applications that use the ubiquitous Forgot Password feature. When a hacker gains control of employee email credentials, it can turn into an all-you-can-eat data buffet--particular if that those credentials were re-used across other systems. Email breaches can also lead to increased spear phishing and social engineering risks. Treat email with a similar level of caution as bank and other high-risk accounts.
5. Restrict application settings.
Particularly for online and mobile applications, its a good idea to modify security and privacy settings to the most locked-down options. Be leery of new applications and consider using a secondary email address outside of the corporate system when testing or signing up for new online tools.
6. Consider a password wallet.
One password pitfall common inside SMB offices is found in password sharing among workgroups and team members. This can lead to weak security habits, both of the analog (Post-it Notes on the monitor, yelling passwords over the cubicle wall) and digital variety (passwords shared via email, IM, and related means). A password manager or wallet application built specifically for teams can automate and secure credentials for systems that require multi-party access. That way its easy to organize all of your different corporate passwords, keep them changed, and make sure everyone knows what those changes are, Slain said.
Manage the Mobile Morass
7. Use a device-lock app.
The mobile era has compounded the potential security threats inherent in password breaches. A lost or stolen device, for starters, can become a nightmare for the unprepared SMB. Begin by requiring--or at least strongly encouraging--staff to use a device-lock feature or app. Set it to time out automatically at one minute or less of inactivity.
8. Dont jailbreak or root phones.
This ones likely to be a particular concern for SMBs that encourage employees to bring their own device to work. Users that
jailbreak
their iPhone or root their Android device could be bringing increased security risks onto the corporate network. Consider a policy restriction that bans such devices for company use.
9. Fully exit apps.
Slain recommends users sign out and exit business apps when not in use rather than leaving them running in the background. Thats a step that sounds easy but sometimes involves more than just closing it, depending on the phone and its operating system. iPhone users, Slain points out, must double-click the bottom button, find the app in a list, tap its icon, and then tap the minus sign that appears.
The right forensic tools in the right hands are just a start. The new
Digital Detectives
issue of Dark Reading shows you how to better apply the lessons they teach. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
9 Password Security Policies For SMBs