Heartbleed was a security nightmare that caught the technology world unaware and unprepared. There was a good deal of panicking in the immediate aftermath, but looking back a month down the line there is a lot to learn from what happened. But perhaps the most important thing is what happens moving forward. Post-Heartbleed, Joe Siegrist, CEO for LastPass has a series of tips for companies to help protect data and improve privacy.
1. Acknowledge that company passwords are a problem
Passwords are one of those things that we all know we should do better but many secretly feel helpless to do anything to change. Insecure sharing of passwords is rampant in organisations, and due to the burden of password requirements and password changes, employees default to the easiest passwords they can remember and get on with their lives.
The first step is for leadership to recognise that there's a password problem, and that it poses a serious security risk to your organisation.
2. Get a plan in place
It's one thing to tell everyone that they have to update their passwords, and then force those changes on them. It’s another thing to give them tools and a framework that enables them to painlessly make those changes and follow best security practices going forward.
This is where an Enterprise password management system is critical. It is nearly impossible for employees to follow best password practices without one. Not only that, but employee productivity is bolstered by having a tool that fills passwords for them, keeps them from having to call the helpdesk to reset passwords, and enables them to manage everything from one secure portal.
With any system such as our own LastPass Enterprise, the team can implement both password vaulting and SAML Single Sign-On in one secure place. Committing to a password manager helps the company get a plan in place and map out how to implement password security improvements.
3. Enforce policies that support your security goals
Once you have deployed a password management system, you can spend time reviewing the policies and security restrictions available to help your organisation gently enforce security standards.
Policies can be both inclusive and exclusive, so that everyone but a few can be given a separate set of restrictions. Policies allow you to enforce strong master passwords, restrict mobile access, disallow use of features like exporting, and more. The key is to create a customised security environment that meets your compliance needs.
4. Prioritise updating critical accounts
Admins and employees alike must understand where they are using weak or duplicated passwords for their online accounts, and get help with the process of creating strong new passwords.
Admins who manage a shared account can prioritise those critical updates, while employees can take responsibility of their logins that need updating.
5. Enable multifactor authentication
Multifactor authentication adds a layer of protection to LastPass accounts by requiring that a user complete an extra step before being given access to their account.
Typically this means providing data from something you have access to like a device that generates a one-time code or a mobile app that generates a temporary code or biometrics such as a fingerprint scan.
6. Do a password sweep
The password management system you put in place is only as good as your employees' adoption of it.
Consider doing a "password sweep", and walk around the office to see if any passwords are posted in plain sight - perhaps posted on a cork board or written on a white board.
Save all of these data points to the password manager and share them through that system.