23 Feb Factsheet 39 – Password Security For Home Workers
Password security for home workers
The switch to home working caused by the coronavirus crisis has resulted in a lot of security issues, with strong office system firewalls replaced by poorer home computer security. In-office password security is usually very strict, but home working has diluted this, leaving some firms vulnerable to data breaches and malware.
This has upset the password security apple cart with many home workers using weaker passwords, including ones they may already use for other online services. Password reuse is dangerous and poses many risks to the valuable data recorded on Cloud and in-house servers. Many coronavirus related cyber security breaches have been the result of bigger break-ins at large service providers like Amazon, Google and others where thousands if not millions of passwords have been stolen. Cyber criminals simply run through these stolen passwords until they find matches.
Whilst system administrators and or office and practice managers should have their password management regimes under control, it is worth reviewing and reinforcing password security standards. Having a ‘Password Policy’ in place, whether formalised in a written document or not, should include at least the following basic standards to ensure employees working from home keep their firm’s data safe.
- Passwords should be a least 8 numbers and characters long. In other words, complicated, using special symbols, capitals, and numbers.
- Password should be unique – no duplicates.
- Passwords should always have two-factor authentication where the user receives an authentication code to their mobile or similar device.
- Incorrectly entered passwords should have a disabling mechanism after a number of attempts, forcing the user to call-up the admin, office or practice manager.
- Passwords should facilitate access to ONLY those duties performed by the employee. This helps prevent access to more sensitive data requiring stricter controls.
- A ‘Review Regime’ is helpful, where ‘permissions’ are reviewed and down or upgraded as appropriate. Employees who used to have access to particular types of data, might have left the firm or no longer require the same level of access, and others may need to be upgraded owing to a promotion or new role.
Since most of home working today accesses the firm’s Cloud based services or internal servers, it is vital that this is limited to only those with permission. Adopting a no nonesense zero trust approach is an emerging standard where everyone is treated with suspicion. Until a user can prove who they are access is denied. A Zero Trust platform can be applied to the Cloud, Webservers, mobile phones, travelling sales reps and homeworkers with each required to confirm their credentials.
(See Factsheet 29 for more details of Zero Trust platforms)
For further information about password security
Phone: 01342 301325