How to Encourage Employees to Strengthen Password Security

Companies need to protect their electronic assets. IT departments need to get employees on board with password security policies-not as another bothersome procedure imposed by management, but as a reasonable security precaution that they understand and willingly embrace. Knowledge Center contributor Bill Carey explains five steps a company can take to educate their employees on how to strengthen password security.


Alaska Governor Sarah Palin might not have realized how important her online e-mail account would be, but when she was chosen as the Republican vice presidential nominee, she became a target for hackers. David Kernell got into her account by using Yahoo's "password reset" feature and guessing the answers to her security questions.

The unfortunate fact is that "security questions" aren't all that secure. It's usually not hard to find out where someone was born, or even their mother's maiden name. Somebody might have told Governor Palin that there's no obligation to tell the truth when you answer those questions. You're perfectly entitled to say that you were born in Bethlehem and that your mother's maiden name is Barbarossa. Yahoo's database won't care.

Identity theft is a very serious issue, even for the rest of us who aren't running for vice president. For the individual, the threat of a compromised online identity isn't so much about political tidbits or gossip. The individual's reputation might be at stake--it could be some "friend" or spouse spying--but the more serious threat involves access to money and a ruined credit rating.

Business consequences of weak passwords

For a business, the consequences can be even more severe. If employees share passwords, or use easy-to-guess passwords, the business's financial data or trade secrets might be compromised. And, if the business allows unauthorized access to customer data, the liability and loss of business reputation can be crippling. Businesses have two reasons to help their employees with online security: First, to protect their own assets. And second, to provide a tangible but inexpensive benefit to employees by helping them to protect their own online identity.

For any given business, it's likely that the employees are already worried about their online security, but they don't have the knowledge or the tools they need to limit their risk. They think "hobbit" is a pretty clever password, despite the fact that they frequent a "Lord of the Rings" discussion board and have a picture of Frodo in their cube.

The good news for business owners is that if they help their employees with their personal online security, it's much easier to get them to follow good security practices for access to company data and systems. Furthermore, a business that helps employees with their online security will come across as a caring employer, rather than as a control freak that imposes yet another bothersome procedure.

Five steps to take to increase password security

If helped in a caring way, the work force will better understand the need for company security and will be much more willing to help the company implement a responsible policy. So, in what practical ways can businesses increase awareness of electronic security? Here are five steps any business can implement:

Step #1: Assign someone in the IT department to keep an eye out for articles about security breaches and distribute these articles to employees, along with suggestions on how the security breach could have been prevented. This will keep security as a "top of mind" issue for the IT department and will force them to think about company procedures. It will also keep employees aware of the latest scams and threats. Be sure that the articles give about even representation to personal security and company security issues.

Step #2: Let the IT department answer employee questions about online security. Once again, this will ensure "top of mind" familiarity with the topic among the IT staff, and will help educate the employees.

Step #3: Purchase password-management software for the office, and allow employees to use it for their private accounts. There are lots of password management options available, but the most cost-effective is usually an enterprise password-management solution.

Step #4: Have a quarterly or semi-annual brown-bag lunch to discuss the latest security issues, emphasizing both the company's security and employees' personal security. (Many employees still don't know about phishing.)

Step #5: Circulate a memo on good password policies, and include it in the package of information given to new employees. A sample memo on good password policies is provided below:

Dear Employee,

Computer security is an increasing problem for many companies and for many individuals. You've probably heard of the rise in "identity theft" and similar crimes. [Company name] has a strong interest in protecting our own trade secrets and data, but we also want to help our employees be responsible with their personal use of the Internet and electronic services.

In the coming months, we will circulate stories about electronic security breaches, as well as tips and advice on how you can protect your own electronic identity. To kick off this effort, this memo provides a simple set of rules to help you create more secure passwords.

First, be sure to remember the following four rules:

1. Don't use easy-to-guess passwords.

2. Don't write down your password in an insecure location or store it in an insecure computer file.

3. Don't share passwords with co-workers.

4. Don't use the same password for different accounts.

Second, to create a strong password, use one of these four methods:

1. Pick a word or phrase that you'll remember, but substitute letters with symbols or numbers (such as @ for a, 8 for B, $ for S, etc. Using this method, "sambuca" might become "[email protected]@".

2. Use the first letter of a long phrase, using upper and lower-case letters, and the substitutions mentioned above. So, "One ring to rule them all, one ring to find them" might become "[email protected]". This may seem difficult at first, but muscle memory will kick in and you'll find yourself typing it with ease.

3. Use an "upper left" or "lower right" substitution. This is where you replace a keystroke with the key next to it. Thus, "Finnegan" might become "E8hh3rqh" by replacing each letter with the letter to the upper left of it on the keyboard.

4. Finally, it's a good idea to change your password every month or so.

We encourage you to take these suggestions to heart, not only for the passwords you use at your company, but in your personal affairs as well.

Bill Carey is Vice President of Marketing at Siber Systems, a Fairfax, VA-based software company. For the last four years, Bill has advocated the importance of effective password management, best practices for preventing identity theft and other related topics. He can be reached at [email protected].