A simple yet effective business password management system takes high priority on the wish-list of every organization, big or small.
This is evidenced by the sheer volume of people searching Google for “the best password protection” every day. But what may surprise you is that whether you’re attempting to manage passwords for a huge corporation, a medium sized business or a small team—you must go beyond a basic password “manager” and invest in an enterprise-level solution.
Enterprise-level needn’t mean pricey
At the end of this post I will provide you with some professional, must-have resources for secure password management in small businesses AND large organizations. But first, let’s talk about the important stuff you need to know about password storage, protection and management.
Before we get into heavy-duty corporate password management, let’s cover some basics for SMBs who are still figuring out what type of password protection they need
What is business password management really about?
You might say that password management in a business environment is about convenience—an uncomplicated way to securely store passwords so you can access them fast and easily. It often starts out that way, but as your business grows you soon realize that password management is also about something more important: protecting your company’s data and other sensitive assets. And frankly, it can quickly become a challenge.
This brings us to the next level: multi-user and shared account password management
In every company the day comes when a single account needs to be accessed by more than one person. It may be your business Twitter account, a vendor’s database, or human resource records. So, you share the login credentials with a team member, and hey presto, you have a multi-user password and a shared account.
You also have the security risks that come with multi-user passwords and shared accounts. Shared account password management is the task of administering those passwords and accounts appropriately, and minimizing the associated risks. (Be aware that every workstation, server, database, and network device—like a router or Wi-Fi access point—comes pre-installed with an Administrator account that has dangerous permissions.)
What’s changing in password management?
A lot. Today, with approximately 9 billion devices connected to the internet, humans are collectively managing tens of billions of passwords, and that figure is rising with every passing minute.
The number of criminal hackers trying to get at those passwords is rising too. In fact: Cyber-crime damage costs are estimated to hit $6 trillion annually by 2021.
Complex software is a killer of security
Not surprisingly, the software available for managing and protecting account passwords is evolving to keep up with the increased threat. But in doing so, it has become more complex than ever. And complexity is a killer of security. With complexity comes the risk of poor adoption among everyone using the software, from IT Admins to users.
What risks am I taking by leaving password management up to individual team members?
Suffice to say, failing to enforce a strict company password management policy is like leaving your premises unlocked at night. It makes it easy for criminals to get their hands on your confidential or valuable assets.
“More than 80% of data breaches have involved an employee as a victim”
Criminal hackers consider your employees to be soft targets, and it’s not hard to trick them into revealing a company password. In fact, you might be surprised to learn that even senior level executives fail to adhere to password best practices. So, it’s easy to understand why over 80% of data breaches have involved an employee as a victim.
How do I know if my company is ready for an enterprise-level password management solution?
That’s easy. The moment you or a colleague records a password on paper, or worse, in a spreadsheet (See why that’s too risky), it’s time to introduce password management best practices and move to a professional password management ‘vault’. As I alluded to earlier, enterprise-level solutions are not just for large organizations, so don’t be intimidated by the terminology.
Your challenge lies in choosing a product that’s a good fit for your company. This will likely be determined by the number of users you have, how many passwords—or ‘secrets’—you need to protect, and the type of data you need to protect. You want more than a basic password manager standing between your network and a criminal hacker.
If you’re already using a password vault of some sort, it may come with an option that enables you to upgrade to a higher level. And that option may be full-featured and free of the complexities that often result in poor adoption rates. But before simply upgrading to the next level, it’s well worth the time it takes to implement free trials from different vendors. Further on, I’ll discuss why free trials are so important.
How much should I budget for password management software?
The cost for enterprise-level software is usually dependent on the number of software licenses you need and the features you want. While the price of most basic password managers is freely available on the internet, enterprise solutions usually require a call to the sales office to tie down an accurate quote, so don’t think twice about calling the vendor, no matter the size of your company.
If you’re an SMB with fewer than 10 network users and up to 250 password to manage, take advantage of an enterprise-level password management tool that’s FREE yet robust.
You’ll notice I included a link to our own Secret Server Free—that’s because I know what’s under the hood and how scalable it is, so it’s a great starting point for your research into free password management for the smaller business.
TIP: Be aware that some paid password management solutions don’t offer all the features you’ll need in the purchase price, so be sure to ask what else you’ll have to pay for after implementation (i.e. after it’s too late to back out).
You must also consider the consequences and cost of a data breach when budgeting for password management software. If you’ve done your research and even the most cost-effective solution seems a little rich for you budget, weigh that cost up against these questions:
- What will we do when our passwords walk out the door with a disgruntled employee, or fall into the hands of a criminal hacker?
- How long would it take to change all our passwords? (Do you even know them all?)
- How much money would we lose if a breach brought our network down for hours? Days?
- How much confidential information could be exposed in a breach, and what would the consequences be if it was made public?
- How would this affect our credibility among clients or customers?
- How would it affect our ability to gain new clients or customers in the aftermath?
- How long would it take to fix the damage, and could it ever be fully fixed?
- Can we easily restore our network system to pre-breach condition?
- Have we violated any compliance regulations by not investing in better password control?
Answering these questions should give you an inkling of what top-notch password security is really worth to you.
Don’t forget to factor in the savings!
A well-designed password management system comes with great time-saving features which leads to ongoing cost savings. This is an argument that’s not lost on your budgeting department. Secret Server, for example, offers these time-savers among others:
- A secure Web Password Filler (available with free version) to speed up account access.
- Automatic Discovery – you’ll quickly find vulnerable, unknown accounts that need securing.
- Request Access – easily grant once-off or limited access to passwords.
- Password changing – automatically change passwords based on your password security policy. Don’t have a policy yet? Customize a password security policy using our template. It’s important.
- User Audit Reports (available with free version) – when someone leaves your company they may take passwords with them. You can rapidly assess and control your vulnerability risk by using this feature.
Get started on your research by comparing the features and plans we offer in our popular Secret Server product—it’s all enterprise level protection.
Why are free software trials so important for assessing password management for business?
I promised I’d get to this, so here are the reasons:
- It’s a GREAT way to experience the kind of support you’re going to get later!
If the free trial doesn’t come with solid support, move on, because the rest probably won’t either.
- Remember I said complexity is a killer of security? You get to check out ease-of-use with a free trial.
If implementation of the trial is bulky and time consuming, and setup is complicated, keep looking. It doesn’t have to be that way.
- You get to play with all the features you’ll be buying. If the free trail doesn’t come with access to all the features you’ll be paying for later, there may be some gotchas in store for you.
- You get to test the software among your least-savvy users. Your trial should allow access to multiple users. Make sure you test it on a few staff members who are not IT wizards.
TIP: Make a list of what you require of a password management system now, add what you think you may require in the next few years, then check off each item against the software feature that satisfies that requirement.
What are the 5 top “must-haves” to look out for in a password management solution?
As someone whose job it is to obsess over the minutiae of password management software, narrowing down to five must-haves is a mind-boggler for me. But here’s what I would not be without:
- Security—it must be top-level. The software must offer the highest level of security available, and must not skimp on security-related features. Look for AES 256-bit encryption supplemented by multiple additional features for solid end-to-end encryption. AES 256 alone is not enough.
- Speed, from the get-go. Installation, deployment and time to value should be discussed in minutes, hours, and days, NOT weeks or months. Did you know that some of the most recognizable names in password management software provide solutions that take so long to fully deploy they are due for upgrades before deployment is complete?
- Simplicity. I mentioned this earlier—complex does NOT equal better. An easy-to-use product with an intuitive user interface and easily accessible features will protect your organization more thoroughly than a full-featured but laborious solution that requires excessive training.
- Scalability. Many password management systems claim to be scalable—they grow with your business. But the solution must also remain within your IT security budget as you scale up. Ask about additional once-off (or recurring) fees you may need to budget for as you scale up. Will you be required to purchase additional modules to scale your software? Find this out while you’re still researching password management solutions and add it to your PAM vendor comparison spreadsheet so there are no surprises later
- Superior support. Know exactly what you’re getting when it comes to technical support. It should be robust at free trial level, and continue for as long as you have a licensed product. Ask for a copy of the vendor’s support policy. Based on your needs (now, and as your company grows), check out business hours support, after hours support, email vs. phone support, number of support technicians vs. number of clients, and how long it takes for them to respond to a support request. Ask if they offer different levels of support and if you can easily switch levels.
Conveniently, all my must-haves start with ‘S’, so they are easy to remember.
TIP: Look at the software vendor’s existing customers. If they include universities, government agencies, financial institutions, MSPs, and medical institutions, you’re looking at a vendor that’s offering top-notch security features.
Let’s dive into password management for BIG businesses
Earlier, I promised to talk about corporate password management: managing passwords and accounts that are shared among hundreds or thousands of employees, often across time zones or continents.
If both small and large companies need enterprise-level password managers to secure their passwords, what’s different for the big guys?
While larger organizations also use password managers, their password management “tool” is usually just one part of a larger “privileged access management” system that addresses a variety of cyber security challenges faced by big companies.
(Privileged access management is also known as privileged account management, or PAM, and if you’re new to it you’ll find everything you want to know about PAM right here >)
These are just a few examples of the password and access control challenges faced by large organizations:
- Dozens or more employees leave the organization every year, sometimes under contentious circumstances, and each one poses a potential security risk. Many leave taking company passwords with them. And the more leavers, the higher the risk.
- New employees join every month and need quick and secure access to all the company’s accounts and passwords. (Or do they? PAM software can ensure they have access to only the passwords they need in order to do their job.)
- As more employees work from home (or even coffee shops), more company laptops (also called “endpoints”) exit the office into private homes or public locations where dubious Internet connections and other users (kids, spouses) access the laptops and introduce unimaginable risks to your password security.
- Personal smart phones, tablets, etc—which are also endpoints—are introduced to the corporate environment posing additional risks.
- Employees’ work and home online activities overlap (think social media and emailing) increasing the likelihood of an employee giving away their password in a phishing scam, malware or hacking technique that in the past may have affected only their personal security. Now it affects the entire organization’s security.
- Compliance laws mandate how companies must store and manage sensitive information—including passwords and access to privileged accounts—requiring sophisticated auditing, recording and reporting tools.
So, you can very quickly see why a basic password manager—even one with enterprise-level features—might not provide all the functionality needed by larger corporations.
Did you know:
55% of organizations fail to revoke access after an employee is terminated
Security Professionals and IT Admins know that keeping company passwords secure is no easy feat
The typical IT security team is under constant pressure to:
- keep passwords and accounts secure, yet accessible
- while adhering to a budget
- and maintaining the organization’s production level
That’s no easy undertaking!
Then how do you enforce password management best practices across thousands of users, using multiple devices in multiple locations, often over less secure connections than those provided in the office?
The answer: simple software, and employee education.
Let’s look at software first:
Software for managing passwords and account access must be simple enough to be well adopted. No company intentionally invests in complex software that nobody wants to use. They do it because they don’t realize how complex the software is until nobody wants to use it.
And while your software must be easy to use, it must also be comprehensive enough to meet your unique needs and achieve your security goals, such as:
- Maintaining a super-secure password vault
- Managing passwords on employee devices
- Controlling access on endpoints that leave the office
- Automating password management to save time and maximize security
- Monitoring (and even recording, reporting on or terminating) password access across the organization
There are two types of software you’ll want to consider for protecting your organization’s passwords and accounts:
- PAM software—a privileged access management program that contains a robust password vault and helps you manage every stage of the PAM life-cycle.
- Application control software—enables you to decide which applications run as an administrator even if the user is not, to help you remove unnecessary admin rights on devices. Users can also request permission to run an application to cut down on help-desk calls. As an example of such software, take a quick look at Privilege Manager >
Now let’s look at employee education, for without it you are doomed:
All the world-class software and password policies on earth will get you nowhere if your staff are not well versed in cyber security awareness AND password management best practices. And I’m not talking about simply mastering your company’s software; I’m talking about your staff having advanced knowledge of all your cyber security risks, and understanding why password protection is critical.
Who needs to be trained?
Today, a company’s cyber security is everybody’s responsibility.
Everyone in your organization who connects to your network at any time, from any place, must be trained in your cyber security policies. From interns to the CEO.
This may mean monthly or quarterly training sessions, one-on-one introduction session for newbies, printing cyber security posters for cubicle walls, providing reading materials, and whatever else it takes to guarantee that everyone’s on board with your security strategy.
In a nutshell, your corporate cyber security policy should hitched to everybody’s job description if you’re serious about protecting your organization from data breaches.
I promised that I’d provide some professional resources to help you, so here we go:
Password Management Resources for Business Use
Download a free, customizable template: Password Security Policy Template
For your IT Admins—free training: Password Security Training Certification Course
Share a scary infographic: See your employees’ risky social network password practices
And the simple kind of corporate password management software I’ve been talking about?
Here it is: Secret Server, on premise or in the cloud. Download the free trial, for all the reasons I suggested you must do free trials. It comes with the same great support you get post-purchase.
Other Cyber Security Resources
As part of your overall cyber security initiative, make these free resources available to your team and use them in your training:
Have a Quick Read: 6 Simple Steps to Online Safety
Download an eBook the whole team must read: Wiley’s Cybersecurity for Dummies by Joseph Carson
Watch a 5-minute video: What every CISO wants their employees to know about cyber security
Print a cyber security Desk Poster: Loose Clicks Sink Ships
Watch a 1-hour on-demand webinar: Empower employees to be safer online at work and at home
View an infographic: See why 3 out of 4 organizations would fail an access controls audit
It has, for many years now, been our goal here at Thycotic to make the best password protection accessible to all companies. In fact, we made it our mission to “Protect 20,000 companies around the world from cyber attacks by providing free privileged account security software worth $100 million dollars!” And we’ve been very successful.
We are also known for the cyber security research we perform and share for free with organizations world-wide. This is how I can be so certain that PAM software needs to be simple to be successful, and I encourage you to start a free trial of any of our products along with others you may be investigating. Seriously, you’ll be glad you did. It’s simple.
JOIN OUR MAILING LIST
Get updates, free resources and in-depth how-to’s
*** This is a Security Bloggers Network syndicated blog from Thycotic authored by Dan Ritch. Read the original post at: http://feedproxy.google.com/~r/Thycotic/~3/vldx43wyyk8/