How to Use Password Management Reports to Control Risk

How to Use Password Management Reports to Control Risk

Keeping your organization secure from hackers and security threats is a never-ending mission. Staying on top of external threats alone feels overwhelming. To stay ahead, you need to look for easy-to-use habits that reliably improve security. Using a password management report regularly is one of your best tools. Let’s show how it can be used.

Building Your Password Management Report

Your starting point is to create the password management so that it aligns with your organization and IT security policies. If you’re starting from a blank slate, here are some of the data points to look for.

Number of Password Changes

How many password changes does your organization process each month?

Source of Password Changes (Help Desk vs. Self-serve

Tracking how password changes are done is helpful if you’re concerned that password management puts undue burden on the help desk.

Number of Inactive Users

For the best results, track this figure both as an absolute number and as a percentage of your users. Inactive user accounts pose a greater security risk, especially former employees who may be motivated to attack the company.

Number of Inactive Users over 6 Weeks

Some user accounts and passwords may not be used in the short term due to vacations, sick leave, and other business-as-usual reasons. Inactive accounts over six weeks are a different story; these are accounts that need to be tracked.

Password Management Training Completion

Track the percentage of users through the organization who’ve completed the annual IT security training (which should include a password management section).

Password Change Logs

Verify whether the organization has completed full password change logs, including management approvals. Such records provide critical evidence to demonstrate that your systems and internal controls are working correctly.

You may wish to include additional password management metrics based upon your specific needs. Once you have all the data collected, you’ll need to make the report easy for your stakeholders to use.

How People Managers Use Password Management Reports to Support Security

Most of your people managers won’t need or ask for all the available password metrics. Instead, we suggest providing reporting on a quarterly basis for each people manager. This streamlined report will cover only the staff members who are direct reports to that manager. At a minimum, reports for managers should include the following.

Password Reset Activity Flags

Highlight unusual patterns in password reset activity. If a user resets this password more than the corporate average, such behavior is worth investigating further.

Privileged Accounts

Track the number of these special accounts over time. If users change roles or job functions, these accounts and the corresponding password/security requirements need to be reviewed.

Multi-Factor Authentication (MFA) Usage

Relying solely upon passwords, even complex passwords, to protect your organization’s assets is no longer sufficient. That’s why we suggest you provide reporting regarding usage of multi-factor authentication over time. If a manager sees that few employees are using MFA, then you may need to provide management guidance to increase MFA usage.

What Other IT Security Reports Should You Use?

Circulating password management reports is one effective way to increase security awareness throughout the organization. Here are a few additional IT security reports to build into your program.

IT Security Maintenance Metrics

Your IT security processes are only effective to the degree they’re maintained. For more insight on this topic, check out our post: “The Must-have IT Security Maintenance KPIs.”

Annual Penetration Testing

Annually (or more often if you’re in a security-sensitive industry), request an outside firm to conduct a penetration test. In our experience, penetration testing reports usually detect problems and give you the opportunity to improve your defenses.

Report on IT Audit Findings

If you have an internal audit function, acting on their findings and recommendations is an excellent way to improve your security.

Cloud Services Security Reviews

Does your organization rely upon cloud services such as Amazon Web Services? In most cases, these services require the end-user to carry out configuration to ensure maximum security. Make sure you track and report on security testing for these services.

At this stage, you might be feeling overwhelmed with all the processes and reports needed to adequately supervise password usage. Part of that burden is unavoidable in today’s high-threat cybersecurity world. However, we do have some good news.

How to Ease the Burden of Password Management

There are two ways to make password management easier. First, look for process improvements in your IT security program. Some of your older requirements such as requiring employees to certify their compliance with requirements by email may no longer be necessary. When possible, remove those requirements so that your program is easier to execute. Once you exhaust these process improvements, automation and leveraging software is your next step.

There are two ways to make password management easier for your employees, help desk staff and managers. Start by reducing the number of passwords employees need to memorize. You can make that happen by implementing a single sign-on software solution. With that solution, you can move from an overwhelming 10 passwords per employee to just one. Next, make it simple to get a password request 24 hours a day, even when the help desk is closed. Use Apollo, a specialized IT security chatbot, to make that happen.

Each solution we’ve covered contributes to an improved security program. With password management reports, you’ll have the information necessary to detect high-risk behavior and provide coaching to employees. Using process improvement, you can eliminate low-value tasks from the program. By leveraging software solutions, your staff will have more capacity to take on other IT security threats.

Written by Nelson Cicchitto