Control 17.5: Train Workforce on Secure Authentication

Train workforce members on the importance of enabling and utilizing secure authentication.

Category

Procedural

Purpose

Especially with the move to a cloud-first and mobile-first world, employees now more than ever need to be trained to properly manage their user accounts. In many cases, their user account is the only line of defense to prevent an attacker from infiltrating an organization’s enterprise infrastructure. Employee user account security is important even if an enterprise company has a local network. Storing passwords on sticky notes, sharing password with co-workers, or using the same password for all accounts are all examples of poor practices which can be exploited by attackers leading to significant harm for a company.

Account takeovers are a common approach for attackers to gain a foothold within an organization and begin taking data or control. With access to a legitimate account, attackers will often attempt to move horizontally to take over other accounts, launch phishing campaigns which appear legitimate, and look to obtain sensitive. Additionally, it can be very difficult to detect and track an attacker who has taken over a legitimate account. Finally, users may share personal passwords with enterprise accounts. Personal accounts may be a victim of a breach, and the username and password for the enterprise account is no always changed.

Automation

There are third-party training platforms available which can provide up-to-date information on secure workforce authentication, but these may be too costly for small organizations. Many platforms and services provide the ability to setup two factor authentication (2FA).

Guidance and Tools

Employees should be trained on how to setup user accounts and keep them secure. This training should be provided upon hire and should be included in the annual security awareness training. It is critical that a company also establish that each employee has a unique account for themselves. To the extent possible, do not permit shared accounts. Although shared accounts may be advantageous for licensing and other purposes, they are less than ideal security conditions. The Electronic Frontier Foundation provides a useful poster on secure authentication.

Here are a few keys points all employees should know about their accounts:

  • Use strong, unique passwords: Create passwords which are 14 characters or more.
  • Setup 2FA on all possible accounts: This adds an additional and critical step to a website’s login process. 2FA uses a smartphone or hardware device to identify someone to a website. Visit twofactorauth.org for instructions on setting up 2FA on popular websites.
  • Do not share passwords: It is not possible to track who performed what action when multiple users have the same password.
  • Do not use the same password for all accounts: The best practice is to use unique passwords for every account. At a minimum, do not use passwords used for personal use for business use.
  • Do not use any personally identifiable information in your passwords: Names, birthdays, and street addresses may be easy to remember but they are also easily found online and should always be avoided in passwords to ensure the greatest strength.
  • Avoid using similar passwords that change only a single word or character: This practice weakens account security across multiple sites.