An Ounce of Prevention: Why Your Business Should Invest in Password Management

Nancy Deol is a Marketing Manager at Advanced Kiosks, a LastPass Enterprise customer. She is joining us on our blog today to make the case for adopting password management in your business. What a timely topic. We’ve seen countless brands - not to mention CEOs -  in the news lately due to cyber incidents, but so many businesses aren’t sure where to start in addressing the password security problem. Nancy’s advice will help you understand how to get started in the right direction - and how LastPass can banish bad password practices. Cybercrime is not something we take lightly at Advanced Kiosks. We work with many government and healthcare organizations, so protecting their data is not just fundamental, it’s non-negotiable. When we are selected for an interactive kiosk project, we explain to the Project Manager (before they can even ask us) that we include our pre-installed kiosk management software to protect their kiosks from malicious tampering. This software, called Zamok, locks down the touch screen and keeps the interactive kiosk safe from hackers and unwanted web browsing. It also ensures the next person who uses the kiosk doesn’t have access to the previous user’s information. There is a lot of personal data that passes to the software or application, and we ensure that this data remains confidential. We also protect administrator files and settings so they are not able to be accessed by outside individuals. So if we go to these lengths to secure our products, why wouldn’t we do the same to protect our workplace computers?

It’s Not Just Big Brands Under Attack

Part of our role at Advanced Kiosks is to remain informed of new cybercrime attacks and best practices to prevent them. IBM and the Ponemon Institute released their findings for the 2015 Cost of Data Breach Study and the average total cost of a single data breach was a staggering $3.79 million US dollars. Many of us may read that statistic and think, “Well, we’re probably ok. Things like that only happen to the really large businesses.” Well, think again. While we often see news coverage of cybercrime happening to big names like Target, LinkedIn, Ashley Madison, Sony or NASDAQ, the truth of the matter is that 1 in 40 small businesses are at risk of becoming a target for cyber criminals. Attacks against small businesses have been increasing at an alarming rate. Symantec’s 2016 Internet Security Report revealed that what small businesses really need to worry about are less advanced attacks that are cheap and easy to execute, like password reuse attacks and phishing attacks. Ultimately, you need to be protecting your assets, as well as your customer’s assets. This is critical if your company sells SaaS (as we do) or you require your customers to provide personal, financial or other sensitive data through an exchange. I believe this is something most small businesses do not devote enough thought to, and because of that lack of preparation, leave themselves and their customers open and vulnerable to attacks.

So Why Aren’t Businesses Protecting Themselves Against Cybercrime?

“This will never happen to me”

One of the biggest reasons is that businesses truly believe that they aren’t a valuable enough target and that there is no way it could ever happen to them. It reminds me of that saying from the Hunger Games, “May the odds be ever in your favor.” This line of thinking is a risky gamble and doesn’t reflect the reality of cyber attacks. The data shows that cybercriminals are opportunistic, targeting their victims at random and looking for easy access to money when they attack. And unfortunately, small businesses make easy targets. According to Small Business Trends, who gleaned key insights from Symantec’s study, “These phishing attacks target employees largely responsible for the finances of a small business.” So if you think that just because you aren’t Target or Sony means you’re safe, it’s time to shift your thinking and acknowledge the very real risks to your business.

“I just don’t have the time”

There’s a common misconception that finding the right ounce of prevention is going to take too much time. This always surprises me because it will definitely cost you so much more if you roll the dice and you lose. Especially when you take into account that according to a recent Experian report, 60% of small businesses that experience a data breach go out of business within 6 months. Yes, you do need to spend some measure of time to:

• Find the right technology for your business
• Learn the technology
• Deploy the technology
• Teach the technology to your employees

But not all SaaS is created equal, and the time-to-implementation varies considerably. All of the above factors are key reasons for why we decided that LastPass Enterprise was the right solution for our business, and why we believe it is the perfect password solution for any business that doesn’t have a lot of extra time available. LastPass makes everything incredibly easy for anyone to use. It’s a self-service solution, which means that anyone (I’m looking at you, non-IT folks!) can be up and running quickly. It’s a perfect fit  for us since we are a self-service technology company. LastPass Enterprise also scales well, so you can start small with certain key members on your team and then deploy across your organization when you are ready.

“I trust my employees are protecting themselves”

Quite frankly, this isn’t about a trust issue, and honestly, you cannot know for sure either way until you have a system in place to actually confirm if employees are following best practices. The first questions to ask (and answer) is – Do I know what the best password practices are for protecting our data from cybercriminals, and are my employees equipped to follow those best practices? If yes, then I applaud you for keeping up on cybersecurity. It’s so important to your business. If you aren’t sure, I’m here to share the information you need to know. Tech Talks offers some very helpful best practices in their article, How do you protect your passwords? - here are the key takeaways:

• Choose to have a longer password versus a more complex, shorter password. Yes, you also want to add symbols, numbers, letters, etc, but you want your password to be long. That being said, please do not have a list of 20 numbers from 0-9 and then repeated again. 01234567890123456789 is not a strong password. Randomized is better.
• Avoid common cultural catch phrases. Cybercriminals know that people like to choose passwords that are familiar and popular. For example, “Bye Felicia” or “NetFlix and chill” are not going to provide the strong protection you need.
• Avoid using duplicate passwords, no matter how strong they are. Just because cybercriminals aren’t able to guess your password that doesn’t mean they won’t steal it from a service you use.

Even if your employees know the above, without a system in place it’s not possible to know if your employees are actually following that advice and protecting themselves. And if the LinkedIn hack shows us anything, it’s that the top 3 passwords LinkedIn users preferred are 123456, linkedin and password. This alone should send red flags up, since LinkedIn is a social platform for business connections and, well, you’re a business. And these are your employees. LastPass looks to solve the problem of not knowing if your employees are taking the proper password security measures at work. When your employees are using LastPass you will actually know if they are using strong, unique passwords. Without a system in place to measure and report on that level, how confident can you really be?

The Cost of an Attack vs the Cost of Preventing One

There are three main types of costs associated with not protecting your business from malicious cybercriminals. Since there is data showing that not only large businesses, but also smaller businesses, are vulnerable to attacks, you have to consider what the costs will be if you continue on the way you have been, without protecting your business.

Those three main cost areas are:

• Financial Costs: You may find yourself with a loss of revenue through cyber theft. Not only does this damage your bottom line because your financial assets were stolen, but you will also incur a lack of trust from potential clients and therefore a loss of potential revenue from new deals. There is also the added cost of the time and resources needed to clean up the damage done and patch the holes that led to the attack. Financial costs are what we commonly associate with cybercrime, but this is only one of the main cost areas.
• Time Costs: You think it is too time consuming now to invest in a password protection solution, but what about the time you will spend after an attack has occurred? You have to consider all of the time you will be spending, and your employees will be spending, if you are the victim of a cyberattack. You have to spend time contacting law enforcement, financial institutions, creditors, vendors, and customers. There is also time spent identifying the cause of the breach, fixing it, and resetting everyone’s passwords.
• Embarrassment Costs: Depending on what happens after a potential cyberattack, you could suffer significant damage to your brand. First of all, you could lose your job or your business. You also might lose employees and customers to competitors. If you are a small or mid-sized business, or if you are in a particular niche, word travels fast and brand reputation is quickly affected.

There is a lot of risk involved when you do not protect your business from cyber attacks. Advanced Kiosks recognized that preventing potential attacks is the key and is worth the nominal investment up-front, which is why we chose LastPass Enterprise.

“Password management is without a doubt the single most important investment in your time and money to making sure your data is safe and secure.”

- Robert Siciliano, CEO of IDTheftSecurity.com

Why Advanced Kiosks Chose LastPass Enterprise

There are a lot of reasons why LastPass Enterprise made sense for our self-service technology business. Here are some of the key features and benefits of this valuable password security solution.

• The Biggest Reason: We are a self-service technology company started by an engineer who firmly believes in mitigating risk. ‘Nuf said.

• Price: LastPass Enterprise was the right price for our team and it is also scalable. As we grow we can add more team members on, and also scale down if we wanted to. The pricing is flexible and budget-friendly for an SMB.

• Educational Resources: Our team members appreciate having access to tons of educational resources, from the LastPass Blog to the Screencasts to other helpful support options created by LastPass to walk their customers through their solution.

• The Vault: The user interface, aka the Vault, is user-friendly and makes managing your passwords easy. We don’t have time in the day to try to figure out a complicated, or non-intuitive, user interface and the Vault takes the hassle out of managing our passwords.

• Password Sharing: In the Vault you can have a folder of passwords that have been shared with you, but that you aren’t able to edit. For example, my boss is able to grant me access to various software platforms we use without having to disclose the password to any of them. If I were ever to leave my position, he could just as easily take back access to the passwords and change them. I am also able to share access to my passwords to marketing team members, and remove access when I choose. When I asked my boss, Howard, about this feature his reply was:

“I love the Password Sharing feature!” He went on to add, “I used to spend 30 minutes a day having to look up passwords and LastPass has given me that time back.”

• Centralized Admin Console: This is important because this is where you save lots of time, especially if you are a growing company. Using the centralized admin console, our boss is able to onboard new employees by granting them access to websites and apps in just a few minutes. You can also preload employee vaults so they have all of the logins they need to get them up and running with LastPass.

• Security: We also chose LastPass because of how secure the solution is. LastPass uses the leading encryption algorithms, doesn’t store passwords on any of their servers and utilizes two-factor authentication for an extra security level. These are just a small sample of the security measures that LastPass uses to protect their clients.

• LastPass Makes Sense: The bottom line here is that it is much easier to ask your employees to remember one difficult password than 20+ difficult passwords. The logic here just makes sense.

Now that you have a better understanding of why an ounce of prevention is worth a pound of cure, or in this case, a small investment in your cyber security is worth upwards of millions of dollars in potential damages, I urge you to take action today. Remember: cybercrime is on the rise. A recent report from Security Intelligence shared that cybercrime will become a $2.1 trillion problem by 2019. Now is the time protect your business with a small investment for what I consider to be priceless – your peace of mind.