“Never share your password with anyone”. If only. If you're like most people, your kid's friends have your Netflix password, your spouse has your work login information, and you've got the company WiFi password posted in the break room. Even after you haven't set foot in the break room in months. So with all this rather laissez faire approach to passwords, how do you convince your staff to guard their company passwords?
A recent survey by a cyber security firm found these startling statistics about the preferred methods for swapping corporate passwords.
It's unrealistic to think that your staff will never need to share passwords. It is realistic to expect your team to implement best practices when it comes to how they share passwords. Stolen passwords are the gateway for a whopping 80% of successful data breaches, so you really can't oversell the importance of keeping them secure.
There's a holy trinity of information thou shalt not share—credit card information, social security numbers, and passwords. Okay, you've always known that social security numbers were in the vault, but many people don't understand how a hacker can steal company information just by stealing your password. Remind your team that they don't need to know how electricity works to know not to put a hair dryer in the bathtub. The consequences of a security breach can be just as fatal for your business.
The conventional wisdom is that long random passwords with odd sequences of letters and numbers should keep you secure, but a password is only as secure as the people who have access. So when your team sends emails and texts passwords, the scammer's job just got a whole lot easier. As scary as a sticky note sounds, it's really the least dangerous way to share passwords. Verbal sharing is obviously best, but who can remember those sequences?
One way that an organization can add an extra layer of security is with multi-factor authentication (MFA). This allows a user to only be able to sign into an account once they have presented two or more pieces of evidence to an authentication mechanism (usually in the form of a one-off 4-6 digit code).
Let your team know that there are acceptable ways to share passwords. As noted before, verbally is best, either in person or over the phone. Yes, over the phone is fine—the chances of a phishing bot hacking into your phones and being able to effectively deploy a stolen password is actually pretty slim. Without the other account information, the password just isn't useful.
Encrypted emails are a second line of defense in sharing passwords with colleagues. Encryption converts the plain text in an email to scrambled cipher text in cyberspace, but when the email lands in a colleague's inbox a second later, they are confirmed as a recipient with the same private "key", so they receive the email in plain text.
Your IT team can download some open source software that will encrypt your email so that any information is secure. Downloading this software takes a bit of expertise to set up and configure, but it's definitely worth it in the long run.
You can also install software password managers with enterprise level security. These applications let you store all the relevant data in a single vault that is password protected and encrypted. You can also assign account permissions to users, and allow them to share passwords as needed. Admins can also create groups within the password manager so that authorized users can share protected information automatically. In turn, admins can see who has accessed which passwords, and determine their security.
Insist that passwords are strong, ideally a string of random characters nobody can remember. In a perfect world, no actual words would be in the password. Every shared account should have a unique password—aAcmeTNT is not a great idea for every password in your company.
Desktop.com offers Team Password Manager and Security software to keep your confidential data secure. Password protection is only the tip of the security iceberg. Our solution offers comprehensive layers of security so that a bad actor never gets far enough to steal a password.
Our system has SSO (single sign on) and monitoring for system abuse. SSO integrates with the Desktop.com dashboard so that your team only has to log in once. Additionally, our abuse monitoring will carefully monitor any links that are saved to a Desktop.com account in order to protect users from potentially harmful content relating to the link or to the domain name within the link. Domain verification is another layer; only email addresses with certain verified domain names can get into the system. All data sent over public networks is encrypted, meaning that an eavesdropper out in cyberspace won't be able to get any useful information to help facilitate an attack.
Desktop.com makes it easy for remote or hybrid teams and agencies to streamline their digital workspace and client communications. Our all-in-one platform offers dedicated chat and video conferencing functionality alongside dashboards for all apps, links and passwords. With all key knowledge and people in one secure and well-organized place, yourself and the team can be more focused on growing the business.