By Joe Siegrist, LastPass CEO and Co-Founder
In the wake of Heartbleed, many organizations are asking us what they should do to protect their employees and clients from any damage the bug may have caused, in addition to how best to protect both company data and employee privacy going forward.
Being touted as the ultimate web nightmare, Heartbleed certainly has the potential to be one of the most devastating bugs to hit the Internet. The concern is primarily due to the fact that OpenSSL is employed by a vast number of sites and that the bug was technically out there for some two years.
Here are five concrete steps that a company should take now to mitigate the risks of Heartbleed and be better prepared for the next big security issue.
Acknowledge that company passwords are a problem
Passwords are one of those things that we all know we should do better with, but many secretly feel helpless to do anything to change it. Insecure sharing of passwords is rampant in organizations, and due to the burden of password requirements and password changes, employee’s default to the easiest passwords they can remember and get on with their lives. The first step is for leadership to recognize that there’s a password problem, and that it poses a serious security risk to the organization.
Get a plan in place
It’s one thing to tell everyone that they have to update their passwords, and then force those changes on them. It’s another thing to give them tools and a framework that enables them to painlessly make those changes and follow best security practices going forward.
This is where an enterprise password management system is critical. It is nearly impossible for employees to follow best password practices without one. Not only that, employee productivity is bolstered by having a tool that fills passwords for them, keeps them from having to call the help desk to reset passwords, and enables them to manage everything from one secure portal. The team can implement both password vaulting and SAML Single Sign-On in one secure place. Committing to a password manager helps the company get a plan in place and map out how to implement password security improvements.
Enforce policies that support your security goals
Once you have deployed a password management system, you can spend time reviewing policies and security restrictions to help your organization gently enforce security standards. For example, policies can be set to disallow access from outside the company office, or other trusted locations, and policies can be both inclusive and exclusive, so that all but a few can be given a separate set of restrictions. Policies enable you to enforce strong master passwords, restrict mobile access, disallow use of features like exporting and more. The key is to create a customized security environment that meets your compliance needs.
Prioritize updating critical accounts
LastPass makes it easy for admins and employees alike to understand where they are using weak or duplicated passwords for their online accounts, as well as helps with the process of creating strong new passwords. Admins who manage a shared account can prioritize those critical updates, while employees can take responsibility of their logins that need updating. The LastPass Security Checkhelps both employees and admins keep an eye on progress and work towards concrete goals.
Enable multi-factor authentication
Multi-factor authentication adds a layer of protection to accounts by requiring that a user complete an extra step before being given access to their account. Typically this means providing data from something you have access to such as a device that generates a one-time code, a mobile app that generates a temporary code, or biometrics such as a fingerprint scan. LastPass Enterprise simplifies the deployment of multi-factor authentication and integrates seamlessly with a range of options, enabling companies to choose the methods that work best for their devices and environment.
Bonus tip: Do a password sweep
The password management system you put in place is only as good as your employees’ adoption of it. Consider doing a “password sweep,” and walk around the office to see if any passwords are posted in plain sight – perhaps on a cork board or written on a white board. Save all of these data points to the password manager and share them through that system.