What happens when an employee goes rogue? If they have passwords to business accounts, they can cause a lot of harm in a small time span. Do you know how to protect against this?
Can You Protect Yourself Against A Rogue Employee?
A disgruntled employee can mean more than a bad review on Glassdoor.com – with access to your data, they can cause a lot of damage. That’s why password management solutions and policies are so important.
At first glance, the thought of an internal threat posed by a business’ employees can seem laughable. Especially to the managers and business owners. They know their staff members, right?
These are people that see each other every day. They get drinks after work here and there. They ask each other about their lives. How likely could that kind of security threat really be?
An “inside job” – it can seem more akin to a bad lifetime movie, or schlocky thriller plot.
But the reality? It’s far more common than you could imagine.
The Reality Of Malicious Employees
The fact is that other security threats – malware, ransomware, phishing, viruses, etc. – simply have more traction with the public’s attention than an insider threat does.
WannaCry was one of the biggest cybercrime stories of the century, and will likely hold on to that title until the next external-threat-based incident makes the news.
Because it makes more sense.
It’s easier to imagine a lone hacker sitting in a basement, targeting a business with their home-brewed cyber weapons than it is to think about what a disgruntled employee might do once they build up the nerve – whether you’re working with a Colorado Springs IT company for cybersecurity, or
managing your passwords on your own.
The fact is that insider threats are one of the more common security threats, and often cost the most to fix after the fact. According to the Ponemon Institute’s Cost of Inside Threats Study and Insider Threat Report:
- Of 874 reported incidents, 191 were caused by malicious employees
- 53 percent of polled companies estimated their remediation costs at $100,000 or more, and 12 percent estimated more than $1 million
What Makes Rogue Employees So Dangerous?
You’re not going to like the answer, but you need to hear it…
You (and your weak password policies) make your employees a serious threat.
The fact is that no matter the circumstances under which an employee is fired, if they still have your passwords, they can take revenge and do serious damage.
Try as you might to terminate someone on good terms, ultimately, how they react is out of your control. What you can control is their access to your systems and data.
That’s why password management is so important…
What Is Password Management?
Despite the fact that passwords are the most direct way to access a user’s private information, most passwords in use today are not considered to be strong or complex enough – and even if they are, they aren’t updated often enough!
Passwords protect email accounts, banking information, private documents, administrator rights and more – and yet, user after user continues to make critical errors when it comes to choosing, protecting and managing their passwords.
How Often Should You Change Your Passwords?
That’s a good question.
Too rarely and you’ll find yourself threatened by ex-employees.
Too often and you’ll be wasting time with the update process, and constantly resetting passwords for employees that aren’t keeping up.
Let’s ask a few experts…
“For your corporate network account? Several times a year. […] Then use a strong, unique password on those, and change it regularly.”
– Mikko Hypponen, Chief Research Officer, F-Secure
“Passwords I use more often, over the Internet and are in sensitive sites are changed 2-3 times a year.”
– Harri Hursti, independent security researcher
Furthermore, the Better Business Bureau recommends changing passwords on a monthly basis – but some consider this to be too often.
As noted by the National Institute of Standards and Technology, the tendency to change passwords too often has had a negative effect on password security. Users have countless passwords to keep track of, and so they take other risks (simple passwords, writing them down on sticky notes, etc.) to keep up.
The bottom line is that changing your passwords too often is not the answer to protecting yourself against rogue employees – so what is?
Three Keys To An Effective Password Management Policy
Instead of forcing your staff to change their password every 30 days, the better way to maintain password security to implement a few best practices as a part of a company-culture -centric and documented policy:
- Well Defined Employee Dismissal Procedures
Instead of relying on regularly changed passwords to keep disgruntled employees out of your systems, you should have password management directly integrated into the personnel change process.Think about it: even if you change passwords every 30 days, on the first of the month, what happens when you fire someone on the second day of the month? They still have access for another 28 days!It’s smarter to simply include password management tasks as a part of their dismissal. Just as how you inform payroll to no longer pay the terminated employee, you should also tell your Colorado Springs IT company to update any passwords that employee had access to.
- Password Strength
It’s common that passwords are required to include uppercase letters, lowercase letters, numbers, and special characters.Consider using a passphrase—which is when you combine multiple words into one long string of characters—instead of a password. The extra length of a passphrase makes it harder to crack.
For a more secure passphrase, you’re encouraged to combine multiple unrelated words to create the phrase, for example, “goldielittlelamb3pigs.”
- Password Managers & MFA
These programs store all of your passwords in one place, which is sometimes called a vault. Some programs can even make strong passwords for you and keep track of them all in one location, so then the only password or passphrase you have to remember is the one for your vault. The downside of using a password keeper program is if an attacker cracks your vault password, then he or she knows all of your passwords for all of your accounts.Ask a Colorado Springs IT company and they’ll tell you – the benefit of a password keeper program far outweighs this risk. A little research on the Internet should help you find the reputable password keeper programs.
Furthermore, Multi-Factor Authentication is a great way to add an extra layer of protection to existing system and account logins. 45% of polled businesses began using MFA in 2018, compared to 25% the year prior.
By requiring a second piece of information like a randomly-generated numerical code sent by text message, you’re better able to ensure that the person using your employee’s login credentials is actually who they say they are. Biometrics like fingerprints, voice, or even iris scans are also options, as are physical objects like keycards.
In the end, managing as strict password policy, creating strong passwords, and using password managers can be frustrating, but it’s incredibly important. If you’re unsure about implementing these procedures, you can get a little help from a Colorado Springs IT company.
Privacy and security are major concerns for personal users and businesses alike these days, and so you have to be sure that you aren’t making it easy for hackers to access you or your business’ private data.
Like this article? Check out the following blogs on cybersecurity to learn more: