Password Management Best Practices for Businesses

Passwords remain a major vulnerability to most businesses today. Many organizations have made large investments into the development of new cybersecurity tools and technologies; however, weakly created or inadequately managed passwords continue to represent a significant portion of all security incidents experienced by organizations today.

For law firms and accounting firms, which store sensitive client information (i.e., client communications), financial data (e.g., tax returns, W-2 forms), and other potentially valuable items, these organizations present an attractive target to cyber-criminals.

Thus, the consequences of a single compromised password could result in an organization losing total access to a given system.

Recent research conducted by Verizon indicates that stolen credentials continue to be among the most popular entry points for hackers in regards to accessing an organization's network. Although organizations have been aware of this threat vector for several years, many organizations continue to use out-dated password management strategies that do little to mitigate the risk associated with having weak passwords.

Therefore, there are no alternatives to using strong password management strategies. Strong password management represents not only a best practice in terms of reducing organizational risk exposure, but also contributes directly to increasing operational efficiency, ensuring regulatory compliance, and enhancing client trust.

Why Password Management Remains Relevant

It has become increasingly fashionable to view passwords as relics of the past due to advancements in biometric technology and mobile app-based authentications. However, the fact remains that passwords currently represent the first line of defense for virtually all business systems' access controls.

One of the main challenges facing organizations today is not simply addressing external threats (i.e., hackers).

Instead, internal behaviors such as password reuse, poor password storage methods, and lack of employee accountability contribute to the risk of experiencing unauthorized access. The Cybersecurity and Infrastructure Security Agency continues to emphasize that maintaining good "credential hygiene" is one of the most effective means to limit unauthorized access to organizational systems.

Poorly developed password management strategies may result in the following types of losses for professional service firms:

While implementing solutions that are excessively complicated are not always the best option; establishing consistent structures for enforcing existing policies will help minimize the likelihood of password-related problems.

Avoid Overly Complex Password Policy Requirements

Historically, traditional password policies typically included requirements regarding password complexity (e.g. requiring users to include at least one special character within their password) along with periodic requirements to reset their passwords.

Unfortunately, for many organizations, these requirements created unintended side effects that ultimately resulted in decreased security instead of increased security. Users who are forced to comply with overly complex password requirements frequently create predictable and easily-guessed passwords; write down their passwords; or reuse modified versions of their previous passwords.

Recommendations from the National Institute of Standards and Technology indicate that utilizing longer passphrases may be preferable to implementing overly complex password requirements.

According to NIST, length and uniqueness offer greater protection against unauthorized access than complexity. Utilizing passphrases that are easier for employees to remember (but longer) will therefore enhance both security and user experience.

Require Use of Different Passwords Across Multiple Systems

Password reuse is perhaps the most common habit found in workplaces. Once an attacker gains access to a single account, he/she/they will commonly attempt to utilize those same credentials on other accounts/platforms. Research continuously demonstrates that credential stuffing attacks are extremely successful due to widespread reuse patterns. Organizations need to develop clear policies that require employees to utilize different passwords on each platform/system utilized by the company.

For example, this would be particularly important when considering cloud services, financial systems, email accounts and/or any application that stores client data.

Implement MFA Solutions

MFA adds another level of security above and beyond passwords. As long as the first factor (password) is breached, an attacker will find it much harder to obtain unauthorized access without the second factor.

Microsoft states that enabling MFA can stop nearly all automated attacks. Based upon the guidelines provided by Microsoft, MFA should be enabled for law firms/accounting firms for the following systems:

This may include:

IBM has noted in recent security research that faster detection and response significantly reduce the impact of security incidents.

Proactive monitoring ensures that small issues do not become major breaches.

More Than Security Benefits

Password management has many advantages beyond just security. In addition to improving your organization's security posture, it will help you improve operational efficiency, minimize downtime, and support regulatory compliance.

Employees will be able to get into their systems when they need to. Organizations will have fewer exposures of risk. Client organizations will know that their sensitive information is being managed properly.

As an organizational element (i.e., as a core operational discipline) for companies that rely on client trust and protect sensitive data, effective password management is a much larger issue than simply a trivial matter.