Password Compliance Must Get Measured to Get Done
In information technology (IT), we have to think about many things, from maintaining hardware and software to disaster recovery to data back-ups to power, cooling and more. But one thing that often gets over-looked, until after a information security incident, is password management.
Somehow, with all the high investment hardware, software and critical business data that we are running, many IT managers relax their guard or forget that those log-in passwords their staff use to get in to their confidential and sensitive secure accounts and applications are the difference between running your business securely and suffering from data theft, manipulation, breach or compromise.
Instead, undisciplined users may write their user names and passwords on paper scraps, sticky notes or print them out on a spreadsheet and keep them in an insecure drawer or under their monitors, where prying eyes know where to look and can easily acquire them to get into their employer's most sensitive information.
I received an e-mail from Security Coverage Inc. of Cedar Rapids, Iowa, a technology vendor which last month joined the field of software vendors to offer password management applications to help small and midsize businesses (SMBs), small office/home office (SOHO) users and consumers better track the often confounding assortments of passwords that they accumulate and use nearly every day. This is not a new idea. Software vendors have been offering applications like this for quite a while. But how often do we analyze and measure compliance for this important issue? Not often enough.
Robert O'Dell, CEO & President of Security Coverage, said the seven year old security company released it's new Password Genie application in order to try to help small business users and consumers get a better handle on their critical application passwords.
Like other comparable applications from vendors such as Symantec, with its Norton Internet Security suite and Norton 360 applications, RoboForm from Siber Systems, KeePass Password Safe, a free open source password manager and LastPass, keeping track of application passwords is not new, but with increased regulatory enforcement there is increased interest in maintaining compliance. There are also differences in approaches.
All the security vendors allow users to set up accounts where their passwords are stored safely and accessed through secure systems, bringing order to the chaos that can often happen when users try to maintain control of a large number of application and account passwords on their own. Still, O'Dell commented, Password Genie adds some new features to make it an easier process for users. "We looked at a lot of the systems out there, and a lot of them were built for the technologist" and were too complicated to use, he said. "We built this with convenience in mind."
It works through standard Web browsers and can be installed and fully synchronized across up to five computers, while allowing an unlimited number of users to access the passwords inside your business. Aimed at SMBs, SOHO users and consumers, Security Coverage will be expanding the application to Apple's operating system and to Apple iPads and iPhones and Google's Android operating system in 2011. While Password Genie doesn't have a dedicated enterprise version for large companies, several competing vendors do offer enterprise versions with increased system administrative controls.
As with most of these types of tools, Password Genie encrypts the password data to better protect it using 256-bit AES encryption for local password storage and 128-bit SSL encryption when synchronizing the data between computers. All the data is stored locally on your computer and is not kept online where it could be potentially compromised by a persistent thief. A free 30-day trial is available, and the product costs $36 for a lifetime license if you want to keep using it. A fair investment for improved password security management and compliance. Other similar products exist as similar price points.
Clearly, more businesses should be using a tool like this. Not enough companies are paying close attention to password management, especially smaller businesses that may not realize that they are at risk by not having something like this employed in their offices. Often, smaller businesses don't think they're big enough to worry about such things. That's only true if your business has no confidential or sensitive information that you want to keep from prying eyes. If protecting your company data, customer data and employee data is important to you, then you need to have some kind of real password management process and supporting tool to better ensure your security.
"The industry as a whole hasn't done a very good job" of getting the message out about password security, O'Dell said. That needs to change.
If your business data, whether it's from your Enterprise Resource Planning (ERP) application, your Customer Relationship Management (CRM) system, your Human Resources software or any other business software applications, isn't protected by secure passwords that are stored securely, then your business is assuming more risk than necessary. Such a simple thing, but we often don't afford the time to think about the simple things. It's time to make that time and take a deeper look into your own password management strategy.