World Password Day – 3 Ways to Improve Your Password Strategy

It’s that time of year again and every first Thursday of May we ‘celebrate’ World Password Day. World Password Day is an opportunity to reflect on how good (or bad) our identity and access management strategy has been working for the organization and start the conversation within our organizations to impact change. What changes, if any, has the organization made since last year’s World Password Day? Just as we remember to change our fire alarm batteries every six months during the daylight savings time change, World Password Day serves as a reminder to stop and take a moment to assess where your organization stands on password security, and more broadly, identity management.

Implement easy to understand training to raise awareness

Behavioral changes are some of the most impactful ways to strengthen security within your organization. Implement regular employee training across the organization and cover topics that are common challenges and pain points end users face. Tailoring training and increasing awareness about common security threats, like phishing scams or ransomware attacks, can help make employees more vigilant. As we begin to find a new normal in our everyday business interactions, employees are using more personal devices and accounts to interact with sensitive company data. These devices are also interacting with the company data in more risk prone environments outside of the traditional office setting. Most systems in our business and personal life require a form of authentication and it is tempting to reuse the same password multiple times. This is where training comes in, give your employees tips to help strengthen their passwords and encourage them to set alerts to make changes to their passwords throughout the year. As an organization, enforcement of high-quality password policies may already be a set requirement. Remind employees that instead of thinking of updating or changing passwords as a painful process, it can be part of a routine that encourages safer experiences online.

Minimize time spent by introducing self-service capabilities

Is your organization able to effectively set strong IAM policies and effectively enforce entitlement management? Can users take advantage of self-service capabilities to reset passwords and request access to services relative to their job role? All organizations are tasked to be more secure but are often spread thin as the cybersecurity skills shortage continues to grow worldwide. Implementing more self-service capabilities helps reduce costs associated with help desk requests and alleviates time spent on low-risk user profiles and password resets. The time and resources saved can be used to tackle larger certification campaigns, assess risky user profiles, or implementing stronger access policies.

Ask yourself, how can we begin to go passwordless?

The password has proven to fall short when not reinforced with additional authentication mechanisms. By implementing secure authentication solutions that don’t just rely on passwords, you can begin to strengthen your organization’s security posture. There are now several options to help support passwordless authentication ranging from mobile authenticators to hardware key fob tokens. You may also want to consider adaptive authentication methods that can adjust based on the level of risk a user presents to the organization.

As with any change, it is important to account for user experience. Traditionally, business processes have been more cumbersome than user friendly consumer apps that prioritized ease of use over security. User experience has now become a priority in both business and consumer settings, creating a consistency that has improved user awareness of security without introducing complexity. Organizations should look to adopt a strategy that includes multi-factor authentication, identity proofing, and checking for compromised credentials. A combination of these best practices can help strengthen security without impacting user experience.

As a refresher from last year’s post, here are a few good questions we recommended asking yourself and your leadership team about identity and access management:

• Are all IT and applications teams within the organization fully engaged in the company’s approved end-to-end credential management solution?
• How are passwords used? Are strong passwords enforced?
• Are safe password usage and maintenance policies enforced?
• What about unnecessary risk exposure? Are there improvements that can be made?
• Are there employee training opportunities to improve password best practices and overall security awareness within the organization?
• Are you aware of the increased risks of ransomware and fraud due to ineffective password management?

After answering these questions, is there more your organization can be doing? If you’d like to learn more about passwordless authentication and stronger identity practices visit the Oracle Identity and Access Management webpage.