Sometimes there can be a fine line between business and personal. As executives, we try and make sure not to cross that line. We give space to employees, we help to create work-life balance, we try to allow flexible schedules, and we do pretty much everything we can to respect personal time and personal relationships. So when issues come up that encroach on that line, it can be a little difficult to address. Unfortunately, how your employees chose their non-work related passwords is a topic that must be discussed.

At a minimum securing business systems and protecting data includes enforcing policies like strong passwords, and frequent password changes. But unfortunately, these are not enough. Business today must also consider password policies that extend outside of the work environment. In the real world we all have way too many online profiles and accounts. Which means a large number of usernames and passwords to keep track of. Some people have adopted secure password apps to help securely store their information, while others are still using post it notes (please say this isn’t you!). Then there is a large number of people that approach the issue by using their email addresses as usernames, and similar passwords at multiple sites. Although this makes it easier to remember their credentials for any given site, it is also a huge security vulnerability for businesses employing people using this approach. What’s the problem you may ask? The problem is, when users use similar credentials on multiple sites, all security is reduces to the weakest link in the collection. Let me explain..

A Sample Scenario

Take for example, you have a very stringent password policy at the office. Your user sets up a password that meets all of the requirements. You think all is well. Then your user heads to an online site to purchase new dart guns for the office. This site also has pretty stringent password requirements. One password is easier to remember than two, so your user uses the same password. Unfortunately, the site they purchased the dart guns has lousy security. A hacker exploits that site and was able to get your user’s password. If your user used their work email address as their username, the hacker has pretty much everything they need to get into your business. Even if they used a personal email address it is pretty easy to locate that user through social media and trace them back to your business.

As you can see, your security policies and network security have almost nothing to do with this attack. The hacker only has to target online websites with weak security. Eventually, they will hit upon one that has valuable user credentials, and then they are in to your secure environment.

How to Protect Yourself

  • At a bare minimum, educate your staff on attacks like this, and let them know it is against company policy to use work passwords on any other external website. In most cases, policy alone will not solve the problem, but information and education is always a good start.
  • Help your users manage their passwords. There are a number of applications on the market that allow you to store and retrieve secure password information. Let your users use the system for business and personal passwords. The more they can integrate the apps into their lives (personally and professionally), the more likely they are to actually use them and create unique accounts for each account.
  • Consider Two-Factor Authentication services. There are a number of very sophisticated systems on the market that can make the authentication process very streamlined. The cost is relatively low in comparison to a breach, and the enhanced level of security and protection is well worth the investment.

Overall, this is a vulnerability that is most effectively combated with technology. Policies will help, but start preparing and budgeting for a long term solution. And definitely talk to your employees about how they are picking and managing passwords on their personal accounts, because it only takes one mistake to expose your business to a new security risk.