Should you be concerned about your clients’ password hygiene? Definitely yes. Poor password hygiene is the easiest gateway for cyber attackers to exploit. All the fancy security software in the world doesn’t matter if your clients are giving away passwords like candy on Halloween.
We were curious about just how prevalent terrible password hygiene is in your clients’ organizations, so we asked our partners for their most terrifying password horror stories. Read some of these horror stories and learn why cybersecurity is a two-way street in this article. This article provides some terrifying password horror stories, plus explores:
- Why Cybersecurity is a Two-Way Street
- Team-Based Passwords vs. Individual Passwords
- Shadow IT
Risks of Password Sharing
Should you be concerned about your clients’ password hygiene? Unequivocally, yes. How concerned?
Let’s put it this way. Poor password hygiene is the easiest gateway for cyberattackers to exploit. All the fancy security software in the world doesn’t matter if your clients are giving away passwords like candy on Hallowe’en.
We were curious about just how prevalent terrible password hygiene is in your clients’ organizations, so we asked our partners for their most terrifying password horror stories. And oh boy, are there ever some bad ones!
I had a partner tell me he visited his client on-site and learned their practice for ‘securing passwords’ was to no longer display the sticky notes on their monitors and to instead stick them to the bottom of their keyboards.
Why Cybersecurity is a Two-Way Street
As law firms or medical offices, your clients might be tempted to think, “Hey, I outsourced my IT to so-andso” or “But I have someone who already does that.” And yes, as an MSP you should be taking the lead on cybersecurity. But – and it’s a pretty huge BUT – there are certain aspects of cybersecurity that every member of your clients’ organizations have to own, regardless of title or position.
The easiest way to crack a cybersecurity system is by exploiting the people who already have access. Whether it’s falling for a phishing attack or emailing passwords or leaving them on sticky notes around the office, the individual employee is the weakest point in any company’s cybersecurity.
That’s why cybersecurity is a collaborative effort – a two way street – between you and your clients. You take care of the tech, they take care of their password habits. Cybersecurity is only effective when both of you are working together.
The easiest way to crack a cybersecurity system is by exploiting the people who already have access.
Team-Based Passwords vs. Individual Passwords
Say your clients are using a password manager. Is that a solution? Yes, and no. Most password managers out there excel at securing personal passwords. But when it comes to team-based passwords, they leave some pretty giant gaps wide open.
Team-based passwords are becoming increasingly common as more industries start to move towards the SaaS model of delivery for the software that people use. If your clients are using a single password for their entire team, their password manager won’t know when someone else changes the password. So how do they communicate that change? By email? By writing it down on a piece of paper? Storing it in an unsecure spreadsheet? All of those are fantastic gateways for cybercriminals to get access to their valuable data.
A password vault that specializes in team-based passwords is the only way to ensure that passwords are changed and disseminated to an entire team. The password is only stored in one place, and nobody ever needs to even see it – users simply copy the password and use it. If the password changes, all your clients need to do is update it once and instantly their entire team will have access to the correct password.
The key to locking down your environment is maintaining a set of permissions. Your clients need a tool that allows them to keep team based passwords on a need-to-know basis.
“But why can’t they just use Excel or Google Docs?” Simply put, those documents are almost never as secure as you think they are. To maintain security for team-based passwords, they need to have granular permissions. We’ve seen companies that have all of their passwords on a spreadsheet that anybody in the office can access – yikes. Instead, offer your clients a solution that allows them to set permissions so only the trusted people who need to know will have access.
A new customer of ours was a medical office with 30 workstations. While doing an audit of their office we found that their passwords were all the same and were only 2 characters which was the abbreviation for the office. In the audit we found 19 HIPAA violations, including this, and ended up firing them because they didn’t want to fix the issues.
The HIPAA horror story specifically showcases the powerful collaboration aspect of MyGlue. By working together with your clients, you are able to identify gaps in their cybersecurity plan, and help them close these in a systematic manner. It’s important to take a collaborative view when it comes to cybersecurity. This is your opportunity to act as your clients’ trusted security advisor.
You’ll handle the tech, and teach your clients how to manage their own processes and behaviors. In this way, you’ll be able to make sure your clients have the ability to close existing gaps that are putting their business at risk.
Shadow IT is a great example of how this collaboration should work. Shadow IT refers to the devices and apps that your clients use to conduct business, but that you are unaware of. When your clients sign up for an app but don’t tell you about it, or when they use a personal phone or PC to access their business email – that’s shadow IT.
You can’t protect what you don’t know exists. However, with MyGlue it’s much easier for your clients to let you know about all of their apps. Once they’ve logged their passwords and devices into MyGlue, they can let you know about them, and give you complete visibility. That puts you in a position to ascertain the risks and provide them with the protection they need.
One Last Horror Story
One of the best password horror stories we had was with a web developer who copied his password list (in notepad) into memory and then had inadvertently pasted it into the site homepage, posted it, and from there…the site was hacked. Go figure.
Source: IT Glue.