Last week Tom Pohl discussed the importance of ramping up cybersecurity measures prior to your busy Annual Enrollment season.
He provided a checklist to help you narrow down your efforts that included enhanced password controls. Let's dive into some password fails.
Here’s some not-so-shocking facts:
- According to the Verizon Data Breach Investigations Report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords.
- According to Last Pass, 59% of survey respondents reuse passwords and 95% share passwords with others.
- In a recent audit of passwords from a cybersecurity breach, 86% were still being used!
- The average cost of a data breach in the U.S. is 7.35 million according to IBM.
Not shocking you say? I encourage you to think about how many times you repeat a password across the various tools you use at your organization. Then think about how many times you repeat a password in your personal life for your email, your shopping accounts and even your bank accounts. When you think about it, most of us are guilty of using poor password practices to safeguard our information.
So let’s do better. There are several things you can do both personally and professionally to protect your information and that of your organization.
Enforce stronger password requirements
Do you know the most common password in the U.S.? 123456. Passwords like this should not be allowed in any system. At a bare minimum, passwords must include a combination of uppercase and lowercase letters, numbers, special characters and a minimum of number of characters (more than 10 is ideal). Or consider the use of a password manager to help manage the passwords that are used across your organization.
Require password changes
As an organization, you should be enforcing password changes, but take caution in how often. There’s much debate as to exactly how often you should enforce password changes as too much can lead to weak password creation. On average, it’s recommended to change passwords 2-3 times a year. (This includes your personal passwords too!)
Make Multi-Factor Authentication mandatory
Multi-Factor Authentication (MFA) provides an extra layer of security by verifying a user’s identity in multiple ways. Traditionally it looks at three factors – something you know (password, security phrases, etc.), something you have (cell phone, email, etc.) and something you are (fingerprint, facial recognition, etc.). While enforcing the third option may not be realistic in your organization today, you should consider adding a second form of identification through SMS, Google Authenticator, or even email. At Businessolver we have MFA available to organizations who want to add an extra layer of security for their employees logging into Benefitsolver.
There are several things you can do right away to start enforcing higher caliber passwords and in turn protect your organization from a potential security breach. Want to learn more about our other services? Check out what we do here.