Small Business: Securing data with smart passwords

Bob Goldfarb, managing partner at the Woodbury accounting

Bob Goldfarb, managing partner at the Woodbury accounting firm of Schoenfeld Mendelsohn Goldfarb Llp, says the company has taken several steps to ensure data security, including locking file cabinets and implementing a formal password policy. (Aug. 9, 2012) (Credit: Newsday / Audrey C. Tiernan)

Jamie Herzlich

Newsday columnist Jamie Herzlich Jamie Herzlich

Herzlich writes the Small Business column in Newsday.

bio

Last year, data breaches cost U.S. companies $5.5 million on average, according to a recent study released by Symantec Corp. and the Ponemon Institute.

Securing corporate and client data can be a hefty task, considering all the potential threats from outside hackers.

Creating secure passwords is a critical part in helping to protect a company's proprietary information and needs to be treated with the utmost priority, experts say.

"People don't understand the risks and the gravity of the situation and they consider passwords a nuisance," explains Armando D'Accordo, president of CMIT Solutions of South Nassau in Merrick, which assists clients with security and compliance best practices, including the use of proper passwords. "They don't pay attention to it."

But at the end of the day, you're not just protecting your own information, you're protecting your clients' information as well.

Establish policy. To help analyze your own business' vulnerability, first assess what kind of policies you have in place for password security.

If you don't have a policy in place, create one, said Robert Siciliano, a Boston online security and identity theft expert for McAfee, a security technology company. You don't need to reinvent the wheel, many best practices have already been established and you may want to look to an outside vendor or expert for assistance, he said.

There are some basic rules to follow, said Siciliano.

Avoid using dictionary words, slang terms, common misspellings, or words spelled backward, he said. Similarly, don't use personal information, such as your name, age, birth date, child or pet names or favorite color or song, he said.

Your passwords generally need to include a combination of numbers, letters (both uppercase and lowercase) and, in some cases, characters or symbols, said Siciliano.

D'Accordo, explaining it should include a combination of what is familiar to you but not so easy to guess.

For example, if you have two kids named Joe and Bob, you might consider Joe&Bob!#, he said.

Optimally, a password should be at least 10 characters long, said Anthony Daley, vice president of global SMB sales in New York, Check Point Software Technologies Inc., a Redwood City, Calif., IT security company. Longer passwords are harder to crack, he said.

Bob Goldfarb, managing partner at the accounting firm of Schoenfeld Mendelsohn Goldfarb Llp in Woodbury, said his company understands this and that's why they try to make passwords between eight and 10 digits long.

Several years ago, the company engaged D'Accordo's firm to help establish a formal password protocol.

"We recognize the need to safeguard our client's data," said Goldfarb. As part of this, staff is told not to share their passwords with anyone including the partners and passwords are changed up to four times a year.

Change it up. It is best to set a password policy that enforces password change every 90 days, said Daley. He advises companies to avoid using repeated characters or easy-to-guess sequences (i.e., 77777, 123456 or abcde). Also, choose different and unique passwords for each important site and application, he said.

If you have trouble remembering your password, there is password-management software like AnyPassword and KeePass that you can use. Some people even create Excel spreadsheets with their various passwords listed and lock those spreadsheets, said D'Accordo.

Just don't write your passwords on visible sticky notes.

"Any unscrupulous person that's sharp could spend between 10 seconds and 10 minutes in a cubicle and get a password," said D'Accordo. "Some people leave too many clues in their office or cubicle."

 

PERSISTENT THREAT

79
The average number of security attacks against organizations per week in the United States
Source: Check Point Software Technologies/Ponemon Institute