Peter Campbell, Earthjustice
As the technical staff at our nonprofits, we wrestle with all sorts of complex security concepts: firewalls, encryption, network address translation.
But here are three quick questions:
- Would you spend $10,000 on a security system for your building, and then set the access code to "12345"?
- Would you set the administrative account name and password to your network to the same thing that five other companies in your building use?
- Would you allow an outside vendor to manage your network without sharing the passwords with you or anyone else at your organizations?
I've seen all three of these situations occur, the first two at commercial law firms, the latter at a large nonprofit [disclaimer: not the one I work for now!]. There are some infamous and true stories of clever hacking that played on the human side of security, such as the teenagers who took a couple of clipboards and interviewed people in the lobby of a large office building under the guise of a school project, in the process collecting birthdays; kids, spouses and pets names; street addresses -- all things people commonly use as the base for their network passwords.
But all of the sophisticated systems in the world offer little more than a swiss cheese defense if we don't have good organizational policies to address the human side of security. And even that's a little tricky, as policies that are too complex for staff to easily comply with will be subverted in ways that open more security holes.
A sustainable password policy requires that passwords be:
- Of a decent length (7-15 characters);
- Comprised of a mix of letters, numbers, and/or additional characters, preferably with mixed case; and
- Not be based on data that can easily be associated with the user, such as kids names or the TV show that they often discuss online.
- They should also n ot be so obscure (as in "6T5re#bb77l") that they can't be easily memorized -- that's a recipe for password post-its!
In addition to maintaining a secure password policy (and enforcing it with network policy automation), staff should be resourced with tools to manage passwords.
There are numerous free or inexpensive applications and services that offer encrypted, password-protected storage for the collection of passwords. Looking for the ones that synchronize to a mobile app will add additional convenience.
From the management level, a best practice is for the lead in IT to print all passwords, seal them in an envelope, and give it to the CEO or HR executive at the organization, repeating (with secure destruction of the outdated list) as passwords change. Twice in my career as a CIO/IT Director, I've walked into situations where my predecessors left mad, and took all of the system password information with them, leaving me, initially, unable to manage the networks that I'd been hired to oversee. Don't put your nonprofits work at risk by omitting this type of failsafe.
All of the port blocking, proxy servers and point to point tunneling on earth won't protect you from the person who clicks on a malicious link in an email. Only education, communication, and support will address those security holes, and no security plan can be considered valid if it doesn't incorporate policies along with the technical protection.