If everybody’s handing out security advice these days, what’s a good strategy for sorting through the various ideas? How can you pull out the essentials?
Yes, it’s a matter of trust. My hope is that you’ve developed a great relationship with your managed IT service provider and can lean on them to bring out the best ideas, and answer questions that inevitably come up.
I’m old enough to say “back in the day”, and back in the day we had seven or eight accounts and thought it was a pain in the ass. Little did we know that it’d get worse – much worse…
In order to manage this overflow of accounts, end users make perfectly understandable, but insecure, choices:
- 38% Write passwords down on paper
- 17% Use the same password for multiple accounts
- 9% Keep passwords on a file on their computer
And these choices reduce the security of their online presence. And this doesn’t even touch the concept of shared organizational resources!
Making IT Secure
And while computers can place filters on password creation to encourage “better” passwords, the reason we need to do that is because, given no guidelines, fully a third of all passwords would end up abc123…
Coming up with a password should be more robust than trying to figure out a new way to manipulate your beloved pet’s name and birthday.
And Another Thing
If in addition to a username and password, logging into critical applications required the person to “have” something, that would clearly stop intruders. The most common tool that we can employ is a cell phone – we’ll have another level of confident if we require a code from a cell phone app in order to login.
The Two Fundamental Steps
And so, every user needs a digital vault for account information. And every environment that allows an additional key at login time needs to be configured to do so.
The best digital vaults will assist in the creation of arbitrary passwords that meet stringent composition rules, store those passwords, supply those passwords when logging into web sites, and allow teams to share specific secure information between themselves. We’ve selected Lastpass as our preferred vendor. It doesn’t mean you can’t choose any of the options out there – but if you’re going to ask us to assist, you probably want to use the one we’re familiar with.
And while not all environments support Multiple / Two Factor Authentication (MFA/2FA), Office365, Google, and many other useful sites do. There are several different apps to choose from to load on your Android/Apple phone. Some are free, others come with a modest subscription. For practical purposes, pick an app that is native to your device and works with your most important sites.
BTW – when Lastpass is setup it requires that second factor…
If you have additional questions, we’d be happy to talk. The fun starts when you bring up the unique situations that face your organization.