In our highly interconnected world, where data is the new oil, your business’s reputation and your customers’ trust often hinge on your ability to safeguard their information. Recent media attention surrounding the Optus, Medibank and Latitude data breaches has thrust data security to the forefront of everyone’s minds.
You may have already implemented certain security measures to protect your organisation’s data from unauthorised access, however, a very common area of cyber security often overlooked is password management.
What is Password Management?
Password management is the process of creating, storing, and securely managing passwords.
Why is it so Important?
Robust password management is considered an essential element of an organisation’s “defence in depth” security approach to protect corporate email, financial systems, customer relationship management (CRM) and the organisation’s overall tech stack. Yet, according to the Australian Cyber Security Centre (ACSC), research commissioned by the Council of Small Business Organisations of Australia in January 2023 found only 54% of Australians businesses regularly use password managers.
What are the benefits of using a Password Manager?
- It helps keep your passwords and accounts safe: A password manager creates strong, unique passwords for all your accounts and stores them in a secure, encrypted database. This way, even if one of your passwords is compromised, the rest of your accounts will remain safe.
- It can help protect you from phishing attacks: Phishing attacks are very common and are becoming very sophisticated and difficult to spot. A password manager can help protect you from these attacks by automatically filling in your login information when you visit a website. This way, your sensitive data will remain safe even if you accidentally click on a malicious link.
- It increases productivity: According to various global studies and surveys, the average business user has over 100 passwords to manage and protect. Without a password manager, it’s impossible to have unique, long complex passwords for every single account. A password manager saves time by preventing forgotten passwords, auto-filling login information and securely filling webforms with information such as payment card and address information.
- It keeps track of important information: In addition to passwords, a password manager can store other sensitive information, such as credit card numbers, banking details, login information, travel documents, secure notes and address details.
How do Password Managers secure your passwords?
Most password managers use a combination of AES-256-bit encryption, MFA (multi-factor authentication), and zero-knowledge architecture to keep your passwords safe. Here’s a more detailed explanation of each:
- AES-256-bit encryption:This is the same level of encryption used by government agencies and banks. Password managers use this type of encryption to protect your passwords from being accessed by anyone other than you.
- Multi-factor Authentication: This is an essential layer of security requiring the user to verify their identity through either an authentication app or security token.
- Zero-knowledge architecture: This means that the password manager never has access to your actual password. Instead, they only have access to an encrypted version of your password. This makes it impossible for anyone (including your password manager administrator) to see or decrypt your passwords.
Considerations when implementing a Password Manager
There are numerous password managers in the market and it’s important that you choose one that is commercially recognised. Other considerations you should keep in mind when implementing a password manager include:
- Security: Probably the most important consideration. The chosen solution must have very strong encryption (i.e., AES-256-bit encryption), support MFA, employ zero-knowledge architecture, and be independently audited for security vulnerabilities.
- Secure Sharing: The product should have functionality that supports the secure sharing of passwords with your team members (or family for personal use) where necessary.
- Ease of Use: The product should be intuitive, yet easy to use, with a clear user interface making it easy to access, generate, store, and manage your passwords.
- Compatability: The solution should work on a variety of devices, operating systems, and browsers.
- Regular Updates: The product should be frequently updated to enhance functionality, new features and most importantly, address any security vulnerabilities.
What else do we need to consider?
Configuration, adoption, training, and reporting – these are just a few areas where we’ve witnessed companies struggle, whilst rolling out a new password manager themselves. Most commercial password managers have numerous security configuration settings, which are often overlooked by many organisations when rolling out the solution themselves.
Purchasing a password manager and simply instructing staff to use this new security feature, without appropriate staff engagement or training can lead to user dissatisfaction and rejection of the product. A successful rollout requires user behaviour and culture change, with top-down sponsorship and leadership. Staff also require clear communication around the deployment of the password manager, underpinned by the various benefits to both staff and the organisation.
How can Cyber Audit Team (CAT) assist?
Recognising many of the challenges organisations experience in successfully rolling out a robust and measurable password management solution, we developed a ‘tried and tested’ methodical approach that delivers customers a tangible password security maturity uplift, whilst ensuring strong adoption across your organisation.
From configuration and policy creation, to onboarding and training staff, CAT delivers a fully managed service to ensure effective rollout and adoption that ensures staff are engaged and understand the benefits and features of the chosen solution.
If your organisation is considering a password management solution and would like to speak with one of our experts, please email us at enquiries@cyberauditteam.com or visit our website at www.cyberauditteam.com.
