In my blog post on Password Security: Tips & Tricks, I talked about some of the issues facing network administrators in creating a good password policy and how and why staff fight the password policy. In this article, let’s look at things that will make compliance more likely. Here are a few things to consider that look less at the technical side of things, but more at policy and administration. How do you get staff on board with your password policy specifically and security polices more generally?
1. Create a consistent password policy and stick to it
In many cases, a password complexity requirements and expiration rules can be set in the program you are using. Organizations on Windows networks will find this very easy with Active Directory. The specifics vary from technology to technology, so talk to your local tech guru for the specifics of your platforms. Be careful however, that even where this is not limited by technology, you still need to set policies for legacy programs and systems and machines outside of your domain. Having a consistent policy across those platforms will make administration and enforcement easier and lead to a higher rate of compliance. One example comes from my client and their numerous remote staff. It is our policy that they have a password on their local profile. During scheduled updates, this is a setting I check. If they do not have a password set, I set one for them. If you keep your rules consistent and enforce them across platforms, you will have better compliance. The more complicated the policies and the more varied, the more likely users will attempt shortcuts.
2. Educate your staff
A major part of good network security is often overlooked: the people. Teach your staff about basic network security. Make it a part of the new hire process and offer refreshers now and then. Make the policies easily available and make sure they get read. This is not something that you can do once, or even once in a while. It should be part of an ongoing discussion with your staff. Be willing to explain both the rules and the reasons, and then to keep talking about it until they get it. There will be people resistant to your processes and they must follow the rules. Many organizations have consequences clearly outlined in their employment policies and many security advocates favor the stick over the carrot. While not my favored approach, this needs to be considered as well. Employees should have an understanding of the consequences both for the organization at large, and for them personally.
3. Make it easy for staff as much as possible
The best security policies only work when people follow them. Stick to your guns, but be helpful. Our current best practice is to change passwords every 90 days. At my client, we use an automated script to send reminders to change their password. The emails are sent at ten days, three days, two days, and one day before expiration. We give the users plenty of notice. In that email are detailed instructions on how to make the change, with multiple methods. At the same time we try to be very quick to respond to people asking for help with passwords. If they know they are supported, staff are less likely to attempt shortcuts. I don’t change the rules for them, but I help them follow them.
4. Remember that the password policy is only one part of a larger security plan
If it’s not, it really should be. There are other avenues into your network. If your staff is using unsecured wifi connections and going to dodgy websites on organization computers, you will have other problems. The goal must be security as a holistic package.