You don't have to run a large IT shop to know that security is a major issue. However, when rules meant to protect data become too heavy a burden for users to maintain, rules have a tendency to fly out the window. Are your users applying the rules or ignoring them?
Hackers and information thieves grow more sophisticated everyday. That forces you, your company's main line of defense, to be more diligent. Passwords are a good example of this constant drive to protect your small company's data. Large organizations have the benefit of more sophisticated security measures and policies, but small businesses have to rely on smaller-scale options, such as strong user passwords.
Trying to stay one step ahead of thieves and mischief-makers, we add rule upon rule to the process of generating passwords. Each rule makes sense, but they can become a burden to your users, who will take shortcuts -- so do all those rules help or hinder the process? In theory, the rules are good. In practice, they can become impractical.
You're probably already familiar with the general guidelines for creating and using passwords, which originated with the Department of Defense (DOD Password Management Guideline):
- Use a unique password for every account that requires one.
- Memorize your passwords; don't write them down.
- Passwords should be at least six characters long (more is better).
- Replace all passwords regularly.
- Passwords should contain a mixture or characters: upper and lower case letters, numerals, and other special characters.
Again, in theory, there's a good reason for each rule, but you might have a hard time enforcing them. User resistance in a small shop can be especially frustrating due to the lack of standardized policies. Right or wrong, users in a small shop are more apt to think who really cares...who's going to know? First, the atmosphere is just less formal in smaller shops. It's much easier to bend the rules. Second, small shops don't have the personnel to enforce policies. Third, training is often hit or miss and users might not even be aware that you have a password policy. Users in general aren't being malicious by bypassing your rules, they're just trying to get their work done, just like you.
Where does that leave you? Well... mostly uninformed as to whether your users are following password security policy. To find out, you'll have to get inside your users' heads. Their reasons might be legitimate:
- It's difficult to memorize several patterns of numerous characters that mean absolutely nothing.
- Just about the time users are comfortable with all those different, meaningless patterns, you change all of them and they have to start all over again.
- If they forget a password, which is easy to do, the interface is likely to lock them out. This happens when they enter the wrong password a few times. As a security measure, most systems lock users out after a few incorrect attempts to sign on. That means they have to wait for you to reset their account -- it wastes their time and annoys you.
Too bad, you say? Maybe, but that sentiment alone won't keep your users from cheating.
Here's my challenge to you: Over the next few days, visit each user and ask to look under their mouse pads and keyboards. I predict you'll find a few lists of passwords if your company changes passwords on a regular basis. Be sure to turn over the pads and keyboards because the smart ones will tape their lists to the bottoms. If you don't find a list under or taped to the mouse pad or keyboard, ask each user where he or she keeps their list. They'll pull them out of their top desk drawers and file cabinets and point to their bulletin boards.
Of course, you must reassure them that they're not in trouble and that they're actually helping you. In a small shop, this really shouldn't be too hard because of the friendly and casual atmosphere, right?
What it all boils down to is this: If rules become too hard to follow, users ignore them. Learning how your users mind your security policies is just the first step. How you resolve the problem is up to you. Just don't make the mistake of thinking all is well -- because it probably isn't. In a small shop, with fewer stop gaps and fewer resources, you can't afford to ignore even the smallest potential for trouble.