6 tips to increase company security post-Heartbleed from LastPass CEO, Joe Siegrist
Heartbleed was a security nightmare that caught the technology world unaware and unprepared. There was a good deal of panicking in the immediate aftermath, but looking back a month down the line there is a lot to learn from what happened. But perhaps the most important thing is what happens moving forward.
Post-Heartbleed, Joe Siegrist, CEO for LastPass has a series of tips for companies to help protect data and improve privacy.
1. Acknowledge that company passwords are a problem
Passwords are one of those things that we all know we should do better but many secretly feel helpless to do anything to change. Insecure sharing of passwords is rampant in organizations, and due to the burden of password requirements and password changes, employees default to the easiest passwords they can remember and get on with their lives.
The first step is for leadership to recognize that there's a password problem, and that it poses a serious security risk to your organization.
2. Get a plan in place
It's one thing to tell everyone that they have to update their passwords, and then force those changes on them. It’s another thing to give them tools and a framework that enables them to painlessly make those changes and follow best security practices going forward.
This is where an Enterprise password management system is critical. It is nearly impossible for employees to follow best password practices without one. Not only that, but employee productivity is bolstered by having a tool that fills passwords for them, keeps them from having to call the helpdesk to reset passwords, and enables them to manage everything from one secure portal. With a system like LastPass Enterprise, the team can implement both password vaulting and SAML Single Sign-On in one secure place. Committing to a password manager helps the company get a plan in place and map out how to implement password security improvements.
3. Enforce policies that support your security goals
Once you have deployed a password management system, you can spend time reviewing the policies and security restrictions available to help your organization gently enforce security standards. For example, LastPass policies can be set to disallow access from outside the company office, or other trusted locations -- and policies can be both inclusive and exclusive, so that everyone but a few can be given a separate set of restrictions. Policies allow you to enforce strong master passwords, restrict mobile access, disallow use of features like exporting, and more. The key is to create a customized security environment that meets your compliance needs.
4. Prioritize updating critical accounts
LastPass makes it easy for admins and employees alike to understand where they are using weak or duplicated passwords for their online accounts, and helps with the process of creating strong new passwords. Admins who manage a shared account can prioritize those critical updates, while employees can take responsibility of their logins that need updating. The LastPass Security Check helps both employees and admins keep an eye on progress and work towards concrete goals.
5. Enable multifactor authentication
Multifactor authentication adds a layer of protection to LastPass accounts by requiring that a user complete an extra step before being given access to their account. Typically this means providing data from something you have access to like a device that generates a one-time code or a mobile app that generates a temporary code or biometrics such as a fingerprint scan. LastPass Enterprise simplifies the deployment of multifactor authentication and integrates seamlessly with a range of options. Companies can choose the methods that work best for their devices and environment.
6. Do a password sweep
The password management system you put in place is only as good as your employees' adoption of it. Consider doing a "password sweep", and walk around the office to see if any passwords are posted in plain sight -- perhaps posted on a cork board or written on a white board. Save all of these data points to the password manager and share them through that system.