Securing Your Suppliers: Building the Right Password Policy
Organizations rely on passwords to ensure security. Yet according to Verizon’s 2020 Data Breach Investigations Report (DBIR), over 80% of hacking-related breaches involve the use of lost or stolen credentials.
The problem has only gotten worse in the wake of coronavirus, when businesses have been forced to require their employees to work from home. This sudden need for increased remote access has raised the risk of password abuse and credential-related attacks.
Working with supply chain partners exacerbates the problem, because if your vendor credentials get breached – so do you. The massive data breach at Target, for example, started as network credentials that were stolen from a refrigeration, heating and air conditioning subcontractor.
How can you ensure a secure supplier password policy? Here are a few tips:
1. Add two-factor authentication.
2FA requires users to provide a secondary authentication, such as a security token or a biometric factor, as well as a password. As such, it often uses a combination of something you have and something you know. This adds an additional layer of security, reducing the risk of hackers accessing sensitive data.
2. Have employees use a password manager.
As the number of passwords increases, the only truly realistic way to keep track of them all is with a password manager.
3. Train employees not to use personal information.
Everything including their primary school, address, birthday, company name and hometown should be off limits. All this information could be publicly available, and they may even have many of these details on social media profiles. In fact, any word that is found in the dictionary should not be used as a password.
4. Strive for longer and more complex passwords.
Cracking a common password like “qwerty,” “password,” or “abc123” can be accomplished in less than one second. Compare that to a 16-character password that uses a combination of random capital and lowercase letters, numbers and symbols, which would take centuries to crack.
5. Prevent password reuse across company platforms.
Employees should not use the same password across multiple sites. If a hacker breaches one account, then all the other accounts that use that password on could be compromised as well.
6. Ensure passwords are changed on a regular basis.
Using the same password for a long period of time increases the risk. It is a best practice to change passwords at least every 90 days and not to repeat prior passwords.
Companies can check if any of their employee credentials have been compromised in a breach through sites like Have I Been Pwned or https://authlogics.com/. If credentials have been compromised, then change them immediately on any sites they are used on.
7. Create additional safeguards.
Make sure to add a mechanism that will lock the user in case of multiple password attempts. At the same time, there should be a mechanism to avoid denial-of-service attacks, where an attacker will attempt to lock out everyone in the company.
Good password security is the first step in securing and protecting both enterprise and vendor data from hackers. One way to check this is by using Panorays’ questions to assess the security of vendors that work from home.
This is the second in a series in honor of National Cybersecurity Awareness Month (NCSAM) and is dedicated to helping organizations guide suppliers with their cybersecurity.