For the last 20 months or so, we’ve worked with nearly 200 government municipalities on cyber loss control projects, now largely completed. Based on our work, we’ve found that 87% of municipalities have password policies that do not align with good practice and put them at significant risk. Is yours among them?
Passwords are a basic, front-line defense against cyber-attack. Even the most sophisticated security tools won’t protect your data if your passwords are weak.
Its recommended to create a robust password policy that works for your organization, inform your users about it, and enforce it—and that goes for admin accounts especially. Your password policy doesn’t have to be complicated, but it needs to be more than: “OK, let’s all use passwords.” You need rules for how to manage, change, store and secure your passwords.
6 Password Policy Tips for Government Employees
Here are six good practices to consider for your password policy.
- Require strong passwords. Until recently, that would have been defined as at least eight characters, with a mix of uppercase, lowercase and special characters (&^%$#@!, etc.). Simple or common passwords like “123456” or “password” are completely useless and can be cracked in seconds. NIST recently introduced new guidelines discouraging complexity and encouraging longer but easier-to-remember passwords of 10 characters or more.
- Consider password expiry. Until recently that would have been defined as enforcing an “expiration time” for passwords, such as every three or six months. The NIST guidance now discourages expiry (unless passwords are known to be compromised) if you are using strong/long passwords.
- Educate your users about password hygiene: minimize password sharing to approved cases, don’t reuse the same password across different accounts, and always store passwords in a highly secure manner (e.g., an approved password manager).
- Lock the account after a set number of unsuccessful login attempts. This will block hackers using automated systems to try different passwords.
- Enforce stronger passwords and tougher rules for your privileged/admin accounts. Limit access, prohibit password sharing, and log/audit privileged access.
- Where possible, use two-factor authentication (2FA) for critical systems. The first factor is the username/password (something the user knows) and the second factor is something the user has, like a smartcard, token, temporary access code, or something the user is (a biometric identifier like a fingerprint).
Besides setting up a policy, don’t forget to explain it to your users so they know what to do and what to expect.
Access control means controlling exactly who can view, copy, edit and/or move IT resources and data, and under what circumstances. Along with your password policy, your access controls help ensure only authorized people can access systems and data.
4 Access Control Tips for Municipalities
Here are four best practices for effectively managing access controls for municipalities:
- Put a strict process in place for assigning and revoking access rights for all your user types and for all your systems and services. This helps verify a user’s identity before issuing or resetting a password, for example.
- Only give users access to resources that they need to do their jobs. This helps limit the harm that a disgruntled employee can do.
- At least twice a year, review access rights for your users. Has Jane changed departments or jobs? Has she left your organization? Have associated controls been updated accordingly?
- Make sure that all your most sensitive data (financials, PII and PHI) is securely maintained, with access strictly limited on a “need-to-know” or “least privilege” basis.
For advice or support around establishing a password policy and access controls, contact Pivot Point Security.
Ongoing Series: Cyber Security Foundation for Municipal Governments
We are overviewing this foundational cyber security guidance for municipalities in a series of blog posts. Part 1 introduced the series and the key topics. Part 2 (above) shares practical guidance on password management and access control that we hope you’ll find helpful.
The full list of topics we will be covering includes:
- Covering the bases
- Password management and access control (CURRENT POST)
- Backup and encryption (coming soon)
- Malware and social engineering attacks (coming soon)
- Cyber security awareness education (coming soon)
- Contingency planning: Incident response, disaster recovery and business continuity (coming soon)
- Vendor risk management (coming soon)
- Patching and other “technical controls” (coming soon)
In our next post, we’ll blog on backup and encryption. Until then… stay tuned and stay safe!