For years, password changes were not only encouraged but required throughout businesses. In fact, organizations have believed they aren’t secure without this protocol. However, evolution in security practices and cybercrimes have challenged the status quo of password security. It’s now more common for companies to question the integrity of frequent password updates. Why? Long story short, it’s actually not as secure as we thought. Here are three reasons to rethink them and what to do instead.
1. Outdated Security Method
Not only have password update requirements been around for years, but the basic rule of changing them every 30-90 days was enforced based on the time it took for a cyberattack to occur. The flaw here is that hackers don’t wait this long. Cyberattacks happen instantly, giving hackers 39 seconds to strike. This means that an attack could be taking place in the middle of a password change, increasing vulnerability in your company network.
2. Higher Hacking Predictability
We’re all familiar with standard password requirements. They typically say that a password must be eight characters or more in length and contain at least one uppercase letter, one special character and one number. They’re embedded in thousands of platforms and used by companies everywhere. Although users abide by password requirements, it’s human nature to choose passwords that are easy to remember, which usually results in meeting the minimum requirements. Not only are hackers familiar with password standards, but when it comes to updating passwords, they’re also aware that it’s much easier for a user to make a small tweak to an existing password rather than create an entirely new one. This predictability increases your vulnerability to phishing, ransomware and other types of cyberattacks.
3. High Cost & Low Reward
A single password reset costs a business an average of $70. Although this doesn’t seem catastrophic, multiply that number by how many employees are in your company. For better perspective, that $70 for one employee means that a business of 100 employees will spend an average of $7,000 for one-time, company-wide password updates. It seems like a smart security investment though, right? Not exactly. It’s labor intensive for IT teams. Between 30% and 50% of all IT call requests are for password updates. Companies often make the mistake of storing passwords in multiple places which is not only dangerous, but this creates unnecessary work for security teams. Plus, the more your business requires password updates, the more likely employees are to forget their passwords, which circles back to poor productivity.
What to Do Instead
1. Invest in Security as a Service (SECaaS)
Since password breaches are one of the most common methods of cyberattack, it’s important to secure your business with end-to-end protection. That’s where Security as a Service (SECaaS) comes in. It safeguards company information by reducing vulnerabilities in your network and endpoints. Implanting solutions like email security, Security Information and Event Management (SIEM) and Intrusion Protection and Detection (IPS/IDS) can keep your network and data are safe.
2. Use Multi-Factor Authentication
This falls under the SECaaS umbrella and is a must-have for company protection. Instead of constant password updates and manual IT assistance, implement multi-factor authentication throughout your entire business. Multi-Factor Authentication (MFA) is a multi-step process that provides extra security layers to your accounts and devices. It can be in the form of text messages, a fingerprint, security questions, or a one-time code. It takes employees through extra steps that are quick and far more secure than constant password resets. Utilizing this will increase efficiency and ensure that your network isn’t compromised.
3. Implement a Password Management Policy
This is a similar concept to establishing a cybersecurity culture in your business because it keeps your company organized and safe. Educate employees on the do’s and don’ts of password creation. This means requiring strong passwords that are lengthy, contain numbers and symbols and are very difficult to guess. It’s human nature to choose passwords that are easy to remember and it’s tempting to use the same password for multiple accounts, however both are detrimental to your business.
Instead, use a password manager for higher security and better organization. This way, you only need to remember one strong password rather than multiple weak ones, and you’re still using different passwords for all your accounts. Also make sure your accounts can deny user access and instill timeout sessions after a certain number of failed login attempts. This will help you better monitor your network, detect possible malicious activity and determine if an employee needs login assistance.
Do not avoid password updates entirely. Passwords should be updated occasionally, but not so often that it disrupts business security and efficiency. Remember that password security and maintenance doesn’t have to be tedious. With the right tools like cloud security and proper protocols in place, cyberthreats are easily avoidable.