Your password procedures and policies are critical to keeping your organization safe. However, those practices won’t maintain themselves. They need to be reviewed, monitored, and enforced regularly. Conversely, there’s such a thing as too much security pressure. If employees are pressured by daily or weekly password management messages, they’re likely to tune out and ignore those notices.
Three Ways to More Efficient Password Management Updates
By improving your processes, supporting your people, and implementing better technology, your organization’s passwords will be much more secure.
1. Improve Your Password Management Processes
Without a robust process governing procedure, you’re going to suffer from password reuse disease and other problems. Remember, most users and managers in your company don’t lie awake at night thinking about password management problems. Thus, you need to create an easy-to-understand process for them to follow.
We recommend building a process for business managers and end managers. To keep it simple, aim to fit your password management process on a single page.
Make sure you cover the following topics in your process documents:
- Password complexity: Clearly distinguish between minimum requirements for passwords (e.g., the minimum number of characters and types of characters required) and supplemental best practices.
- Password management tools: Does your organization allow or encourage employees to use password management tools? Make sure you address this topic since password managers are becoming popular for consumers, and employees may want to use them at work.
- Sell password management practices: Part of your process document needs to educate and sell employees on why they should be thoughtful in the approach to passwords. Without this motivation in place, you’re going to see unsafe practices such as writing passwords down on scraps of paper.
- Password support: Where can people ask questions and get support for password issues? Ideally, you want to provide support in multiple forms, such as an always-available IT chatbot and a help desk.
The above process should be reviewed and updated annually to make sure it remains useful. If you can’t remember the last time your password process documents were updated, you probably need to update them. By having a simple one-page password management process in place, making updates will be easy. You’ll also reduce unnecessary calls to the help desk because employees will be trained on what they need to do.
2. Support Your People with a Risk-based Approach to Password Updates
Sending a broadcast email to all employees advising them of a new policy will only take you so far. Your employees and managers are busy. You need to keep your password management updates relevant by using a risk-based approach. To illustrate how this approach would work in practice, consider the following scenario.
Your organization has 3,000 employees with different levels of authority, system access, and security sophistication. As a result, you decide to categorize employees into three groups based on risk.
- High-risk employees: Executives, managers, and IT administrators all have access to sensitive data and systems. As a result, the impact of their accounts being compromised is significant. To address this risk, you decide to engage this group with monthly awareness messages. Additionally, you conduct quarterly audits to verify that password management processes are being followed.
- Medium-risk employees: This category may include developers with access to production systems, finance employees, and customer service managers. To support this group of stakeholders, we recommend promoting password updates twice per year.
- Low-risk employees: All remaining employees, contractors, and consultants not covered by a previous category will be considered low-risk employees. In this case, you’ll provide support and training through an annual password management update.
Implementing the risk-based approach above to password management is an excellent way to prioritize your resources. However, it only works well when your software can do some of the heavy lifting for you.
3. Leverage Technology: Use Software to Facilitate Password Management Updates
Some managers still keep track of password management issues, user access, and related matters with spreadsheets. This traditional approach can work, but it’s deeply flawed. A spreadsheet’s data may be lost. It’s also difficult to share effectively. In our experience, using a spreadsheet is also slow. If you want to speed up password management updates, you need to use a better tool.
With Password Management, your password management process is automated. After completing the initial configuration of the system, you can make updates centrally and roll those out to the rest of the organization. Instead of relying upon the manager to track and approve everything, Password Management empowers employees to manage their passwords. If you discover a password problem at the organization, you can ask everyone to reset their passwords right away.
After Optimizing Password Management, Do This Next
By using the three steps outlined in this post, you’ll be able to manage password management changes much quicker. Everyone in the organization – IT, managers, and employees – will know which tools to use and have a clear process to follow. Now that you’ve improved one part of your process, don’t stop there! You need to look at other areas of the organization to optimize further.
Help your IT help desk become more productive by automating some of their work. By moving password reset requests and similar administrative tasks to Apollo, an IT security chatbot, your help desk will have more capacity to help users. As a result, you’ll be able to ask for their help in identifying risk, developing IT security training for employees, and other high-value goals. If you could save your IT department a few hours per week, that could be just enough margin to achieve more of your innovation goals.