Quantcast

Wednesday, July 30, 2014         

TECH VIEW


 Print   Email   Comment | View 0 Comments   Most Popular   Save   Post   Retweet

Companies must be clear on password policies

By John Agsalud

POSTED:



The recent “hacking” of a Fox News Twitter feed set the world abuzz with its false reports of serious injury to President Barack Obama. The Secret Service continues to investigate the exact methods by which the hacking was conducted. The fact of the matter, however, is that the hacking was probably facilitated by exploiting people as opposed to technology.

Specifically, we believe that the so-called hacking was aided by a compromised password. Typically, large companies that employ social networking have multiple folks responsible for monitoring the various accounts, such as those on Twitter or Facebook. This often leads to sharing of passwords amongst the responsible parties.

Take that shared password, combine it with a disgruntled employee (or more like, ex-employee) and voilà! The account is available to a host of nefarious characters. This is actually much easier and more prevalent than what most folks envision as “traditional” hacking.

So what can businesses and government organizations do to combat such issues? First, develop and publish a password policy. Such a policy defines more than just “eight letters or longer, use special characters, numbers, and both upper- and lower-case letters.”

A good password policy defines how often passwords must be changed in both normal circumstances (for example, monthly or quarterly) and unusual situations (such as termination of an employee). Also included in the policy is whether the same password can be used for multiple accounts and, if so, which type of accounts. Confidentiality rules, of course, need to be defined. This includes sharing of passwords, whether directly or indirectly, or even mentioning a password in conversation.

A password policy also should include penalties for violation of rules. We have seen such penalties run the gamut from fines, suspensions, to terminations. While this might seem harsh — and we are in no way suggesting termination for the more manini violations — it is necessary. It is no different from many other forbidden activities for which penalties are a given.

In addition to a substantive password policy, folks might plan for the worst. What happens if we get hacked? In the case of the Fox News example, rumor has it that it took more than five hours to rectify the problem.

Organizations need to understand how to report problems, whom to report them to and, most important, how long it might take to resolve issues. Make sure your ducks are in a row so that if you do run into a problem, you’re not wasting valuable time doing things that could have been done earlier, such as establishing an authoritative figure in both your organization as well as the provider.

John Agsalud is an IT expert with more than 20 years of information technology experience. Reach him at johnagsalud@yahoo.com.






 Print   Email   Comment | View 0 Comments   Most Popular   Save   Post   Retweet

COMMENTS
(0)
You must be subscribed to participate in discussions
By participating in online discussions you acknowledge that you have agreed to the TERMS OF SERVICE. An insightful discussion of ideas and viewpoints is encouraged, but comments must be civil and in good taste, with no personal attacks. Because only subscribers are allowed to comment, we have your personal information and are able to contact you. If your comments are inappropriate, you may receive a warning, and if you persist with such comments you may be banned from posting. To report comments that you believe do not follow our guidelines, email commentfeedback@staradvertiser.com.
Leave a comment

Please login to leave a comment.
IN OTHER NEWS