5 Tips for Good Password Management in Business

Login credentials are valuable — especially for cybercriminals. The number of phishing and other hacker attacks aimed at getting company passwords has increased significantly since the beginning of the Covid pandemic. It is therefore all the more important to introduce good password management for your business - both for employees and for customers.

Cybercrime with Login Credentials at a Record High

A sad record: Cybercrime has been at its peak since the beginning of the Covid pandemic. The Sophos Phishing Report 2021 documents a whopping 70 percent increase in phishing attacks since the beginning of 2020. Also, the Verizon Business 2021 Data Breach Investigations Report (DBIR), which we covered in our article Cyber crime 2021: Online Crime at Record Level Thanks to Covid, showed a 60 percent increase in credential cyberattacks. These numbers show that password security is an important factor in protecting yourself and your customers against cyber attacks.

Password management: What Should Companies Keep in Mind?

Despite a record high in cyber attacks, little has changed in terms of password laziness. According to an evaluation by Nordpass "123456", "Password" or "qwerty" are still among the top 10 passwords worldwide in 2021. Choosing such a weak password is already negligent in the private sphere, but in business it can have even more fatal consequences. So good password management is particularly important - for you, your employees, but also for your customers! Our tips for good password management:

 

#1 Password Strength: Clear Guidelines for Choosing Passwords

Make sure that there are clear password guidelines for all employees in your company. In principle passwords should be at least eight, but preferably 16 characters long. Never use words - and certainly not your company name - for your passwords. And make sure that the password consists of a combination of upper and lower case letters, numbers and special characters. Also, don’t use a password twice. Always use a different one for each account.

Password Creation Tip:

Use sentences instead of words and form the password from the first letters, numbers and characters. For example, “My first child was born on 03/11/14 at 9 am!” becomes something like “Mfcwbo311149am!”. Then you can increase the security by replacing a few letters with numbers and/or special characters: Mfcwb@311149@m!

#2 Train Employees and/or Clients:

In addition to your employees, you should at least suggest password specifications to your clients. Do this especially if you co-manage accounts as a service provider, such as Google or Apple accounts, access to shopping or content management systems, as well as customer relationship management tools, Amazon or Etsy accounts and so on.

It is also important to train employees and clients about cybercrime: Especially when it comes to phishing. Because if such an attack is successful, not only the login data of personal or company accounts can be affected - cyber criminals also use phishing to install malware.

What is Phishing?

Phishing is made up of the words “password” and “fishing” and basically means fishing for passwords. Cyber criminals create emails that look like they come from another company (banks, telecommunications providers or online shops such as iTunes or Amazon are particularly popular) and try to lure the recipient to a fake website in order so they enter their login details there. However, phishing emails can also contain links to malware that is intended to be installed.

#3 Properly Manage Access Rights

If an employee leaves the company or changes to another position, it must be ensured that their access rights are adjusted accordingly. An automated system that manages access rights and accounts and updates them as soon as there are changes makes sense for this.

#4 Two-Factor Authentication

For access to particularly sensitive company data, you should rely on two-factor authentication. This means that in addition to the password, another input is required for access, for example a code, a temporary password or a fingerprint.

Note:

In our understanding, 2-factor authentication is mandatory in accordance with the requirements of Art. 32 of the EU GDPR (“Security of processing”) for systems that process personal data.

#5 Think about Using a Professional Password Manager

Professional password manager can be individually tailored to each company and shed some light on the password chaos. It manages all login credentials, syncs them automatically and can help generate strong passwords. The recommendation to use a password manager can also be useful for clients – especially if you are a service provider or freelancer and look after sensitive accounts.

Strong Passwords and Good Security

Even if you create your passwords based on the latest rules and train your employees and clients: There will never be a 100 percent guarantee when it comes to cyber security. In addition, cyber criminals are adapting to new requirements and developments and are constantly developing new algorithms to get at your data. That’s why Professional Indemnity Insurance provides an important “safety net” in the event that your business does end up being targeted by cybercriminals.

Professional Indemnity Insurance from exali with the First-Party Cyber and Data Risks Insurance (FPC) add-on protects your business if you become the victim of a phishing or hacker attack with malware or ransomware. The insurer not only pays the costs incurred in restoring your IT systems, but also for hiring experts (e.g. computer forensic analysts or specialised lawyers) or for crisis management.