Are Weak Passwords Putting Your Business At Risk?
If your employees are using weak passwords, it’s potentially putting your entire business at risk. Weak passwords are like having no lock or a cheap lock on your house.
Small companies are especially dealing with an onslaught of issues stemming from weak passwords, particularly when they’re often shared between employees.
According to the Verizon Business Data Breach Investigations Report, an astounding 97% of data breaches are due to weak passwords, as well as outdated software versions. Other research shows two out of three data breaches are the result of poor passwords.
Your security as a startup or small business is ultimately only as effective as the passwords that protect the accounts your employees use.
By even just understanding the threat of weak passwords, you’re already taking a step in the right direction.
Beyond just understanding it’s a problem, the following are some of the things every business, no matter the size should know about passwords and the risks weak ones can create.
According to one survey on the pain created by dealing with passwords, nearly 70% of respondents said the process to set up and remember passwords is frustrating. We all experience this frustration, not just in business and work but in our personal lives.
Users have to remember so many logins, and as a way of dealing with that, it’s common to use the same password across accounts and devices. While this is the path of least resistance for employees, it also makes them and your business vulnerable to hackers.
A 2020 survey found the average computer user has more than 100 password-protected accounts.
IT admins in a business setting face challenges. They need to identify the best ways to enforce end-users to create strong passwords. They also have to implement strategies that don’t hinder employee productivity or create excessive frustration.
There’s something else that complicates the issue even further.
Historically, user identities were on-site and often based in a directory service like Active Directory. Identities were used to access the system, and since the identity was only used to access machines on-premises, there were fewer risks.
Now, user accounts are accessible from anywhere, cementing the idea for hackers that the fastest and easiest way to compromise networks is through user identities.
Trying to Enforce Strong Passwords
Once IT admins and businesses as a whole caught on to the risks of weak passwords, they started taking steps to enforce strong ones. They began enforcing password requirements. Those passwords had to be longer and more complex and also frequently changed.
Training end-users was a good place to start and of course doing something is better than nothing in this situation. Even so, new challenges started arising.
IT admins found it difficult for employees to remember and manage the highly complex passwords needed for proper security.
So what came from that realization? The growing use of IAM platforms.
IAM Platforms to Manage Password Complexity
IAM stands for identity and access management. IAM capabilities in a modern solution can include Directory-as-a-service. DaaS is a way to configure password complexity requirements that can then be enforced across systems or just specific user groups.
Good IAM strategies and tools will also use multi-factor authentication.
Overall, benefits of identity and access management include:
- IAM is a set of not only systems but also processes and policies that manage digital identities in a simplified and streamlined way that’s also secure.
- IAM uses Single Sign-On (SSO), password management, profile management, and Multi-Factor Authentication (MFA).
- Three core concepts are part of IAM—identification, authentication and authorization. The goal is to make users have the correct access but in a secure way.
- As we talked about above, one of the big reasons that employees use passwords over and over again isn’t because they want to create a cybersecurity risk intentionally. Instead, they often have password fatigue. They want to do their jobs without constantly forgetting their overly complex passwords. With IAM tools, IT admins can then create a particular digital identity for every user. Users don’t have to manage dozens of business accounts to access the applications and resources they need to do their jobs. When an IAM system is in place, the end-user can access networks no matter their location or device. With Single Sign-On specifically, users can access their cloud-based applications too.
- Your IT team will be more productive in addition to other employees because they’ll be dealing with fewer password-related issues.
- We’ve talked about this throughout this guide, but IAM solutions help improve security across all systems, applications, devices and platforms. Then, if security violations are happening, it’s easier to identify them. You can also revoke access privileges that aren’t appropriate or whenever needed.
- Your security team will have an easier time granting access based on the principle of least privilege. IAM systems usually make this easy through automation.
- Regulatory compliance is improved with IAM, including HIPAA and GDPR compliance.
What Else Can You Do for Password Security?
Along with an IAM solution that has SSO and a password manager, you still need to have and enforce a password policy. Your password policy should be comprehensive and customized to the needs of your business and your employees.
If you for example, allow remote network access, this is going to affect how you create a password policy. Similarly, if you deal with sensitive information subject to regulatory compliance, you need to make sure your password policy covers everything relevant.
Employees need to be well-trained and educated on password safety, and they need to understand the power of a hacker gaining access through passwords.
For the upcoming new year, it’s likely that password management and enforcement, as well as the implementation of IAM solutions and strategies, should be things you prioritize. These shouldn’t just be IT priorities, but whole-of-organization priorities. Without taking password security into account, your business could face serious trouble ahead.