Being touted as the “ultimate web nightmare”, Heartbleed certainly has the potential to be one of the most devastating bugs to hit the Internet, due to the fact that OpenSSL is employed by so many sites and that the bug was technically out there for some 2 years.
Here are 5 concrete steps that your company should take now to mitigate the risks and be better prepared for the next big security issue.
1. Acknowledge that company passwords are a problem.
Passwords are one of those things that we all know we should do better but many secretly feel helpless to do anything to change. Insecure sharing of passwords is rampant in organizations, and due to the burden of password requirements and password changes, employees default to the easiest passwords they can remember and get on with their lives.
The first step is for leadership to recognize that there’s a password problem, and that it poses a serious security risk to your organization.
2. Get a plan in place.
It’s one thing to tell everyone that they have to update their passwords, and then force those changes on them. It’s another thing to give them tools and a framework that enables them to painlessly make those changes and follow best security practices going forward.
This is where an Enterprise password management system is critical. It is nearly impossible for employees to follow best password practices without one. Not only that, but employee productivity is bolstered by having a tool that fills passwords for them, keeps them from having to call the helpdesk to reset passwords, and enables them to manage everything from one secure portal. With a system like LastPass Enterprise, the team can implement both password vaulting and SAML Single Sign-On in one secure place. Committing to a password manager helps the company get a plan in place and map out how to implement password security improvements.
3. Enforce policies that support your security goals.
Once you have deployed a password management system like LastPass Enterprise, you can spend time reviewing the policies and security restrictions available to help your organization gently enforce security standards. For example, LastPass policies can be set to disallow access from outside the company office, or other trusted locations - and policies can be both inclusive and exclusive, so that everyone but a few can be given a separate set of restrictions. Policies allow you to enforce strong master passwords, restrict mobile access, disallow use of features like exporting, and more. The key is to create a customized security environment that meets your compliance needs.
4. Prioritize updating critical accounts.
LastPass makes it easy for admins and employees alike to understand where they are using weak or duplicated passwords for their online accounts, and helps with the process of creating strong new passwords. Admins who manage a shared account can prioritize those critical updates, while employees can take responsibility of their logins that need updating. The LastPass Security Check helps both employees and admins keep an eye on progress and work towards concrete goals.
5. Enable multifactor authentication.
Multifactor authentication adds a layer of protection to LastPass accounts by requiring that a user complete an extra step before being given access to their account. Typically this means providing data from something you have access to like a device that generates a one-time code or a mobile app that generates a temporary code or biometrics such as a fingerprint scan. LastPass Enterprise simplifies the deployment of multifactor authentication and integrates seamlessly with a range of options. Companies can choose the methods that work best for their devices and environment.
Bonus tip: Do a password sweep.
The password management system you put in place is only as good as your employees’ adoption of it. Consider doing a “password sweep”, and walk around the office to see if any passwords are posted in plain sight - perhaps posted on a cork board or written on a white board. Save all of these data points to the password manager and share them through that system.
What actions have you taken in the wake of Heartbleed? How has your company responded?