Tag: passwords

As more nonprofit employees work from home, scammers can seize this time of crisis to manipulate your technology to target your donors and your team.

With the COVID-19 crisis putting tremendous pressure on nonprofits to adapt and respond across multiple fronts – and fast – now is not the time to tackle complex and expensive technical rollouts. However, from team use of security settings to strategic switches, from analog to digital processes, to heightened vigilance when sending and receiving email, there are many opportunities for nonprofits to close the worst of the security gaps.

The best safeguards against a cyberattack lie at the intersection of your technology and your team. All efforts should start with educating all staff members about potential risks, creating shared ownership of both the problems and the solutions.

Here are a few ways to prevent or foil cyberattacks proactively—as a team. As Stanford University nonprofit data security expert Lucy Bernholz says: “Tools matter. People matter more.”

Urge teams to redouble their email vigilance — both sending and receiving.

When receiving email, caution is always warranted, especially with messages from unknown or unexpected sources. Common ploys include relying on fear-inducing subject lines — think “New Coronavirus Cases Confirmed in Your City” — from sources claiming to be reputable government agencies. Emails asking for “urgent donations” of any kind, which may include detailed wire instructions, are also highly suspect. But even benign requests for the recipient to click a link or share detailed information should always be viewed with caution.

Employees should also use caution when sending an email, whether to internal or external audiences. Some sites purporting to provide COVID-19 news updates can contain malware and adware. When possible, it’s better not to attach documents to external emails, as this is a common phishing ploy. Instead, your employees can direct recipients to trusted login portals to obtain information.

Take stock of the protections offered by your digital tools, and use them as a team.

The shift to working from home means many organizations are considering shifts to digital tools to help with day-to-day necessities, like tracking grants or donor activity.

If you haven’t already, it’s worth considering where your organization can switch to all-digital: How about replacing check handling with electronic funds transfer? Or leveraging grant tracking tools instead of spreadsheets? Tools such as Quicken, Salesforce, Zoom, or Skype are just some of the options in this space, and good examples of where to start.

Then, consider how your new and existing digital toolsets protect your organization’s data. Can the team quickly place hands on the organization’s existing vendor contracts to review terms of use? Is the entire team using the latest version of the tool itself? Are there administrative defaults that can be imposed to increase protective integrity?

These tools typically provide protective capabilities such as data encryption, workflow, and usage tracking. One great first step to creating a team culture with a secure mindset: host a meeting where your team navigates together to the security features already existing on your digital tools — then switch them on as a group.

Protect your financial transactions, and keep a close eye on any money movement.

Going with digital options for financial activities requires extra vigilance. Any money movement should be guarded by layers of security, like multi-factor authentication or donor validation. To activate these options, just ask your financial institution and check in with the makers of any of your digital fundraising tools.

For day-to-day monitoring, consider signing up for digital statements from your financial institution. Set aside extra time for monitoring those statements for suspicious activity. If your institution offers instant notifications on account activity, even better.

Know where your organization’s data is stored and who has access.

Organizations often assume that anything to do with data storage and access is relegated to “the tech team.” This is not the case. Anyone within an organization can help ferret out weaknesses in data stores and access points.

Anyone on your team can start by looking at the information most often referenced when engaging with donors — names, donation history, addresses, email, and more. From there, they can ask some basic questions — the same questions you ask yourself at home when thinking about your bank transactions:

  • Where is this information stored?
  • Which vendors am I trusting to keep this information safe?
  • How might untrusted entities obtain access to this data?
  • How could they manipulate existing donor relationships or processes?

It may feel overwhelming to read this right now, with so many needs requiring fast action by your organization to help the world during an unprecedented time of crisis. However, the team energy and trust needed to build and maintain a secure mindset may be closer than you think. When your goal is to protect the integrity of your nonprofit’s mission and ability to help, you will often find your team ready to step up so you can all focus on your primary mission: helping the world.

For more assistance, check out our Cybersecurity Guidance for NPOs.

We’ve heard from community members making the sudden shift to remote working that they are trying to quickly navigate a lot of unknowns. For many, it feels overwhelming to review a massive list of tools they could possibly adopt during this time. As always, though, it’s crucial to remember the context when deciding upon using a new tool, especially if it is only to help you through what will hopefully be a temporary period.

With this in mind, here’s a post examining the various strategies of using a few suggested tools.

Tactics & Tools

Instant Messaging/Chat

One of the first things you miss transitioning to remote is all those impromptu interactions you have when you share a physical space. Those questions, comments, and nonverbal exchanges help build relationships with your coworkers. Chat tools (individual or group) are a great way to allow for those interactions in digital space while keeping them out of other spaces such as email and project management tools. There’s nothing worse than training your team to ignore internal emails in general because they’re often filled with social content. That’s how important communications get missed.

Example of a chat between Ash and Jeremy using a GIF from the animated Adams Family movie.

Why Helpful: Quick interactions help fill those gaps between distributed teams to keep work moving forward, offer support, and interject a more personal feel into digital communications.

A Few Tools: Slack, Microsoft Teams, Flock

Screenshots

Screenshots are an easy way to visually show something in a quick, effective way. At it’s most basic, a screenshot is a static image of something on your machine. However, by adding a few additional elements, it can become a powerful way to communicate. Little additions such as an arrow to highlight something on a webpage or numbers to show a sequence of actions to work through a process can help clarify what needs to be done. Consider the following comparison.

To access the NTEN course, you will first need to login, then go to the Education tab in the navigation, select the Learning Dashboard item. From there, look for the button under “Access Your Courses.”

VS.

A screenshot explaining how to access an NTEN course with sequential numbering and a big read arrow.

Why Helpful: As more of your communication passes via digital channels, it’s helpful to take a few minutes to ensure communications are complete. The time spent up front dramatically reduces the back and forth needed later to answer questions.

A Few Tools: Most machines have a basic free option already, Snagit, Lightshot

Screencasting

Screencasts are short videos of either just your screen or a combination of screen and webcam. As with most tools, the options range from very simple to complex, with a heavy focus on production efforts around editing and effects. If you’re new to this, cut yourself some slack and don’t try to get overly fancy. Any attempts made to communicate in better and more effective ways will be appreciated even if the finished product lacks an original soundtrack and Hollywood effects.

 

Why Helpful: Greater clarification if what you are trying to say or show moves between tabs, applications, or is more complex then what can be captured in a static image. The added bonus of being able to speak over the video adds that human element much of your digital communications may otherwise be missing. The combination of saying and showing also allows you to convey a lot of information quickly.

A Few Tools: Loom (App and Browser), Snagit (App), Screencastify (Browser)

Match The Message To The Channel

With a sudden increase in your reliance on digital tools to communicate across your team (including a few tools new to the mix), the importance of sharing the right message on the right channel will be critical.

Why Helpful: There are some general rules about what is a good fit for an email, instant message, group chat, etc. but what matters most is that your team is on the same page. Take the time to openly discuss what the expectations are and then hold each other to those agreed-upon terms. Action items sent through chat? Ask them to move it over to your project management tool.

Virtual Check-Ins (1:1)

Many of the same tools you might use for larger groups in a virtual meeting will also work for one-on-one calls. One thing that can be helpful though is recognizing that if your 1:1 video calls can happen in the same tool where your other direct communications occur, it can help it feel more integrated, rather then “another barrier” to making something a face-to-face call vs. a long chat message or email.

At NTEN, we do our meetings in Google Hangouts Meet. It’s automatically integrated with our calendars, which we use to remember we need to be in a meeting in the first place. But for 1:1 calls, we mainly use Slack video calls because we’re already in that tool, having the direct message conversation that preceded the need to jump into a full-on conversation.

Why Helpful: Taking time to ensure there are some face-to-face interactions will help keep your human connections alive. When folks share a physical space, it is nothing to stop by and ask a coworker a quick question rather than send a message. For virtual coworkers, it’s an easy trap to keep everything in messages and skip the video. In the end, the extra time it takes to jump into a video call is often made up for by eliminating the back and forth needed to answer follow-up questions that stem from a lengthy text-based conversation.

A Few Tools: Google Hangouts Meet, Microsoft Teams, Skype, Slack, Zoom

Password Sharing/Management

Granted, managing passwords in a secure way is something you should be considering no matter where you work. However, during this particular period of adjustment, having a solution in place that allows you to share passwords across teams, between select individuals, etc. will be particularly helpful. You don’t want to be stuck without passwords when you cover various tasks that you might not normally do as coworkers adjust their schedules to take time off due to illness or to support others.

Why Helpful: Because time is vital to moving things forward, especially if you are working asynchronously. Not being able to log in somewhere because someone else changed the password, or you never had it in the first place, can bring project work to a grinding halt.

A Few Tools: LastPass, 1Password Teams (ios), TeamPassword

Project Management

This is perhaps the area I see the most potential risk for teams making a sudden and possibly short-term shift to remote teams during this time. The reality is if a significant shift to a remote and distributed team is only expected to be temporary (4–6 weeks), then I wouldn’t throw a new tool into the mix. It will only add confusion and frustration for your users during a time that will already be testing their limits. Instead, focus on how you can adapt and evolve the tools folks are already familiar with to be used robustly.

If it looks like your team really does need a new way to stay coordinated across tasks, then I suggest investing time into identifying what a project management tool could do for you.

Why Helpful: In general, the effective use of a project management tool can be a great way to improve transparency, accountability, and clarity as individuals and teams work through projects big and small.

A Few Tools: Casual PM, Asana, Monday, Trello, Basecamp

New Tool Adoption

Transitioning folks into new tools and ways of doing things isn’t always easy, even under the best of conditions. When that change happens under forced and unexpected circumstances, it can be challenging. There are a couple things you can do to help yourself and the broader team make these adjustments more successfully. As you have likely seen, there is no shortage of tools out there, but just throwing tools at people rarely makes them feel more comfortable.

Dedicate time to understand how exactly a new tool works, ideally before selecting it. But when that isn’t an option, just pick one and go. Reinforce that learning how to use a new tool effectively is not time wasted. It’s a sort of mini-capacity building activity that will allow folks time to get up to speed quickly.

Agree on how you will use a new tool as a team. Most tools can do a lot more than you will ever need. Especially if it is a new tool or a shift in how your team has been working. Giving folks permission to only need to understand how to do a few specific things now as a first step can free them up from feeling anxious about not knowing how to make every feature in the new tool work.

If you have colleagues who are particularly comfortable learning new tech, put them in a sort of MVP role. They can jump in, figure out what is most useful for how your team needs to use the tool, and then share the distilled version to everyone else.

Self-Care

Work Space

Short-Term
No one needs to tell you things are different during this time. Rushing out to buy new office furniture for what is an unknown amount of time or when many of us are feeling financial strains may not be realistic. However, if you are physically uncomfortable, you will not be able to do the vital work your community needs, either. Look for simple solutions using what’s already around you. Use that $10 cushion from the couch to turn a hard wooden chair into something more comfortable. A dog food bin can double as a part-time standing desk on top of your kitchen table. A cheap TV tray gives you a working surface while sitting on the couch. These are all things I’ve done, by the way. Allow yourself to get creative.

Long-Term
If what you are looking at is a more long-term shift, then you will want to look at more sustainable solutions. This doesn’t have to mean moving to a new house so you can have an extra room to dedicate to an office. But you will want to think about a desk, second monitor, and small things that help you be at your best. You’ll also need to think about ways you can separate your work sphere from your personal sphere when they physically overlap. For me, I roll a small standing desk into a closet and physically shut the door on work.

Schedule

Short-Term
There’s no need to pretend your work schedule is the same as usual, it’s just in your home now. The sooner you accept this and start identifying ways to still get work done while attending to the other essential needs in your life, the less stressful your new situation will feel. Maybe you work for a few hours before everyone else wakes up. Maybe lunches and breaks take longer as you are now also preparing meals for kids, or caring for others who are ill. Allow yourself the flexibility that is needed, and be sure to recognize and support these needs for others on your team.

This heightened overlap of spheres may bring each of us into the personal lives of our coworkers, and it might not be something that comes easily for everyone. Empathy for yourself and others is more important than ever.

Long-Term
On a long-term basis, you will need to find a routine that works for both you and your organization. Specifically, what that looks like will depend on the particular context of those two elements unique to each situation. All those tips of dress for work, get up and move (often), and deliberately seek connection all still apply. They just need to be implemented more systematically.

Boundaries & Expectations

Short-Term
When you make a sudden shift to working from home, it’s clear that whomever you share your living space with has to also adjust to spending more time with you. Be it partners, kids, extended family members, or pets, this is likely new and challenging for everyone.

Setting clear boundaries can help everyone understand how to be supportive of each other and still interact to get needs met. Simple things like, “When the door is closed, it means I am on a call. When it is open, I can chat.” Or what your schedule is for the day. “I have a call for the next hour, but then after that am doing project work, so I can swap locations so you can do your call in the quiet space.” Don’t bother explaining to the pets. They’re more than okay with the change.

Long-Term
Longer-term, this becomes easier as it actually becomes more of a norm than something unusual. However, helping friends and family understand the difference between “I am freelance and am totally able to drop everything in the middle of the day vs. I am remote and still work a set schedule,” can be helpful.

Managing Remotely

Short-Term
There are three elements that I think can be helpful for folks suddenly managing others remotely to focus on: Support, Connection, and Communication.

Support in terms of making sure folks have what they need (devices, new tools, or increased flexibility) to continue being successful at their job. This doesn’t have to mean buying everyone a new computer, but you may need to invest in licenses for some new software or smaller things like that.

Connection in terms of being deliberately about giving time and attention to individuals. How many times a day would you usually have a quick in-person interaction in the office? I am not saying jump on a video chat just to make passing eye contact five times a day. But do take the time to make sure they are getting the right amount of human connection they need.

Communication in terms that folks want to know what is expected of them and what things are changing. Leaving space for conversation to flow both ways helps you understand your team’s changing needs.

Long-Term
If you’re making a permanent shift, there is a wide range of tips and strategies you can use to effectively manage remote and distributed teams. These often require larger-scale changes in policy, organization culture, and other elements than this post can cover.

Open Office Hours

Looking for an opportunity to share a few of your own tips and tools or ask specific questions? Join us at one of our upcoming open office hours to keep the conversation going. Drop by for the whole time or just a few minutes to get your questions answered.

Like all nonprofits, Tech Impact continually struggles to balance cybersecurity against cost, time, and user frustration. Unfortunately, there isn’t a lot of room for error! With access to hundreds of nonprofits’ systems, Tech Impact is an attractive target for criminals, activist hackers, and even government agencies. We take our mission seriously and put as much as we are able to secure our environments.

On the other hand, as security experts ourselves, we are quick to spot the difference between what “they say” you should do and what actually makes us more secure. In this post, I’ll share a subset of our security practices so that you too can do more than check the box.

Policies

You’ve heard it before (probably from us) but having written policies is an essential part of any cybersecurity strategy. The trick is to have a specific goal in mind for every policy and to keep the document itself short and to the point. Here are some of the goals and policies that your organization should likely have:

Goal Policy
Be able to hold staff accountable if they use systems or computers in an inappropriate way. Acceptable Use Policy
Educate staff about how to store and share sensitive information Data Sharing & Storage Policy
Make sure risky data isn’t kept forever Retention Policy
Educate staff about how to create, manage, and share passwords Password Policy
Ensure staff understand the potential ramifications (wiping devices if staff leave) of using a personal device for work activities Bring Your Own Device Policy
Prevent staff from transferring money or data based on impersonated emails. Approval Process for Bank & HR Data Transfer
Limit the number of administrators in our systems Administrative Access Policy

One goal of our policies is to allow us to discipline staff who won’t take security seriously. But generally speaking, we don’t expect our policies to guarantee that our staff stays safe. Instead, we use them to educate staff about how to be safe using the tools available to them.

Training

To get staff actually to be safe, we rely much more on training and awareness. Being secure means making the right decisions dozens of times a day. Every time we email a client or share a file, we have to evaluate the risk and take appropriate safety measures. The high frequency of these decisions means that we can’t expect our staff to look up and follow complex policies.

Instead, we teach folks regularly about who might want to attack us, why those attackers are interested in us, and how those attacks are likely to happen. By educating about our actual threats instead of imagined or possible risks, we keep our staff paying attention. That’s why we focus on password strength, phishing attacks, and impersonation attacks and not on protecting against NSA EMF monitoring.

At Tech Impact, our learning culture doesn’t lend itself to formal training. Besides some mandatory training for staff dealing with sensitive data (like HIPAA-regulated data), we mostly don’t force our staff to sit down for training. Instead, we regularly send emails and chat messages to the team with information about attacks we have intercepted or articles that seem relevant. This constant drip of information keeps folks on their toes.

One formal approach we do recommend is to use a third-party phishing penetration service like KnowBe4. Using the service, you can send your staff simulated phishing emails. Folks who fail the tests (by handing over their username and password) can be required to complete additional security training.

Escalation

Between our policies and constant communication, our staff is definitely paying attention! But paying attention isn’t enough by itself if folks don’t know what to do when they encounter something suspicious. At Tech Impact we’re lucky to have a resident security team. Our staff has been trained to forward emails or send questions to the team anytime they are worried about something that came in. By making it easy to report an issue and get help, we have dramatically increased engagement and often prevent staff from taking risky action.

For your organization, this might mean sending one person to security training, or it might mean sending questions to your support provider. However, you approach this make sure to keep a record of the kinds of questions and issues that come in so that you can identify trends and create better training.

Technology

Only now is it worth talking about technology. In truth, technology is important but not enough. Staff and attackers will always find a way to get around anything you put in place. Your best bet (at least for organizations that aren’t facing activist hackers or hostile governments) is to focus on policies, training, and escalation.

But if you’ve handled the basics, or if you are at particular risk, technology can absolutely help your organization stay safe. There are lots of resources out there about cybersecurity technology, so I’m not going to reinvent the wheel. But I will share with you some of the tools that we use. Note that this is only a portion of the technologies we use at Tech Impact to stay safe.

For Everyone

Some of the cybersecurity tools we use are foundational and should be used by every single nonprofit out there. Nothing listed here is particularly complicated or expensive, so don’t wait!

  • Software Updates & Anti-Malware: You should know this by now, but most malware-based attacks use known issues that have already been patched. Keeping your computers up to date and using Anti-Malware software is a foundational need for every nonprofit.
  • Multi-Factor Authentication (MFA): The single most effective thing you can do to keep your organization safe from account compromise. In addition to a username and password, your staff uses a separate code from an app or SMS text message to log into systems. This will almost eliminate the risk of phishing attacks.
  • Single Sign-On: Use Office 365, Google Apps, Okta, or another cloud identity provider to let your users log into all your systems with a single username and password. This enables you to enforce MFA across all your tools and lock all accounts down from once place. Any software you’re using that supports the SAML standard can be integrated for Single Sign-On
  • Device Encryption: Encrypt your devices so that no one can read data off them even if they are lost or stolen. This is free and easy for Android, iOS, Mac OS, and most Windows computers!

For Many

For organizations that have some compliance needs (HIPPA, etc.) or are dealing with otherwise sensitive information, there are some basic tools that can make a big difference without a considerable cost.

  • End-to-End Encrypted Email: Allows you to send social security numbers, healthcare information, passwords, and other sensitive information via email. You send a standard email, but recipients get a simple email with instructions to use a secure web portal to respond.
  • Data Loss Prevention (DLP) Scanning: Scans outbound email, shared files, or files stored in semi-public locations for sensitive information like social security numbers or bank account information. This is an essential backup to your policies educating folks on how to safely store and transmit data.
  • Device Management: Lets you monitor devices remotely and make sure that they are kept up-to-date, encrypted, and secure. It also allows you to wipe them remotely if they are lost or stolen.

For a Few

There are a lot of things we do at Tech Impact because we are at high risk. These aren’t things I would recommend for everyone.

  • Conditional Access: Prevent devices from downloading files or syncing data if they aren’t enrolled in your device management platform. This keeps the staff from saving data to devices that aren’t encrypted or that you don’t own.
  • Advanced Multi-Factor Authentication: Text-message based multi-factor authentication is not secure against a determined hacker. We use code-based MFA from our mobile phones and are exploring U2F and certificate-based MFA to make ourselves even more secure.
  • Centralized Log Analysis: We send all of our logs to a system that looks for unusual behavior. If someone logs in from an unusual location or downloads more files than usual, our security team gets an alert and can investigate.

Wrapping Up

As a technology nonprofit, we know that there are limits to what technology can do to keep us safe. That’s why we use this multi-layered approach that includes policies, education, escalation, and technology. Staying safe is a constant balancing act, and it’s important to remember that some action is always better than no action.

We’re mapping the nonprofit cybersecurity landscape—and we need your help.

NTEN, in partnership with Microsoft, has produced the first State of Nonprofit Cybersecurity Survey, which asks nonprofits what steps they’re taking to protect their organizations and clients.

Your answers to these questions will help us understand:

  • the policies and procedures your nonprofit has for who and how people can access your systems,
  • to what extent nonprofits are using technology to protect their systems,
  • what kind of training is offered to nonprofit staff, and
  • how the way nonprofits operate contributes to cybersecurity vulnerabilities.

Your contributions will be anonymized and used in aggregate to produce this landmark report, to be released this fall. Organizations like NTEN will use this data to inform their training and support programs, so we can help the sector better protect its systems and the data our clients have entrusted us with.

And you don’t have to be technology staff to take the survey! If your organization doesn’t have an IT team, we still want to hear from you.

The survey will take about 10 minutes to complete, and participants can elect to enter to win a registration to the Nonprofit Technology Conference or an NTEN course of their choice.

Take the survey today.

 

Back in 2012, we implemented an organization-wide password manager here at NTEN, finally replacing our comically insecure “Shared Passwords” document, and the all-too-common practice of reusing the same password across a variety of different sites.

The idea of using a password manager had been on our radar for several months, but we had any number of excuses for why “now” wasn’t the right time:

  • We’ve never had issues with our “Shared Password” document to this point.
  • No hacker wants access to our accounts as a small nonprofit, so “admin” is a fine password to keep using everywhere.
  • There are a lot of reports saying password managers themselves can be insecure.
  • We already have too many systems, so I don’t want to force staff to learn yet another one.
  • We’re too busy right now, so maybe we can implement this next year.

While some of these ideas may have contained grains of truth (e.g. password managers aren’t a perfect defense), they all quickly fell flat once we’d experienced the time-saving and security benefits of using a password manager.

Five years later, it’s not exaggerating to say this change may be the most significant stress-reducing and time-saving policy I’ve ever put in place at NTEN since I started working here more than 10 years ago.

Step 1: Make the decision

If you’re not part of the leadership team, you’ll need to convince someone who is to help you champion this project. Figure out who that person will be, and make sure they’re on board.

Step 2: Pick the right password manager

Security experts can’t agree on which password manager is the “best,” so as a non-security expert I’m in no position to help you with that decision. That said, as long as you pick a tool that’s well established, well reviewed, and has a history of being transparent and quickly fixing any security holes, you can’t really make a bad choice.

The other thing that will help is figuring out any must-have features that may be unique to certain tools. Your budget may be another factor depending on your needs. Many of the most popular tools do offer free versions, but proper implementation for your nonprofit may require a paid Pro or Enterprise license.

Here are a few features I wouldn’t have known to look for initially, but have proved quite valuable over the years:

  • Ability for the administrator to:
    • set specific security policies to meet your org’s needs (e.g. password length, multi-factor authentication, remember me settings)
    • take over a user’s account and remove access to shared passwords when an employee leaves
    • reset a user’s master password if needed
  • Shared folders or security groups to easily manage who can access specific shared accounts
  • Ability for staff to link a personal account to the organization’s account to improve workflow, but without mixing personal data with the organization’s data (since once staff see the benefits at work, they’ll likely want to start managing their personal accounts the same way).

Step 3: Create an implementation plan

Once you’ve decided on a tool, the next step is to create a plan for launching this tool across your organization. This is where having the champion you found in Step 1 will be helpful.

You’ll need a detailed implementation plan that documents the on-boarding process for users, organization-specific policies for how to use the tool, a migration plan to bring all your existing accounts into the tool, and finally, a plan to purge all your old, insecure passwords and replace them with secure, unique passwords.

Testing out the tool yourself is a great help in creating this plan. While you should make it as detailed and complete as possible, keep in mind that it’s a first draft and will almost certainly require substantial revisions after the next step.

Step 4: Do a trial implementation with a small team

There’s no quicker way to sour your co-workers on a new system than a poorly delivered implementation. If a new tool adds to their stress or workload, as soon as you turn your back, they’re going to stop using it and go back to what they know.

To avoid this potential landmine during NTEN’s implementation, I chose a small group of trusted staff members to help test out my plan prior to the big launch. This exercise helped me identify and fix several incomplete or rocky patches in my plan. Perhaps more importantly, it also created a committed group of converted staff that were able to help answer questions and train other staff later.

Step 5: Launch it to the whole organization

Now that you have your revised and improved plan in place, along with a small team of staff eager to see this new tool implemented, you’re ready for the official launch. There are sure to still be unanticipated bumps in the road, but as long as you have the right people on board and have carved out the time to make sure everyone is trained effectively, your coworkers should quickly start seeing the benefits of the new tool.

This is where all the work you’ve done is rewarded, often with glowing smiles and relieved sighs emanating across the office as users realize the burden of remembering countless passwords has been lifted, and that their accounts are actually going to be significantly more secure.

Step 6: Provide continued training and improvement

Bask in the joy of accomplishment for a few minutes, but then get back to work. While it may seem like everything is safe, easy, and wonderful after implementation, it’s critical you don’t become indifferent to the risks that still exist. In reality your users are all going to have different levels of adoption, and your organization is only as safe as your least secure user.

To combat this, most password management services have tools you can use to monitor how secure each user’s account is (e.g. master password strength, reused passwords, multi-factor authentication usage), so you can use those to identify and follow up with any users who seem to be falling behind the curve.

You’ll also need to keep your policies up to date to match new needs or discovered security risks, and offer routine refresher trainings to staff. For example, I’m pondering removing the mandatory password change requirement from our policy and replacing it with mandatory multi-factor authentication. And don’t forget to keep staff trained about related risks like phishing and baiting.

Conclusion

If you’ve read this far, but still haven’t made the decision to implement a password management system for your organization, please make that decision now.

Seriously though, whenever I read a “password best practices” type of article and their first piece of advice isn’t to use a password manager (which surprisingly is the majority of them), I cringe a little for anyone who’s still attempting to follow all those oft-repeated rules on their own (such as using a passphrase, changing your passwords every 30/60/90 days, or using a combination of letters, numbers, and symbols).

Those rules all still make sense of course, but in 2017—when we all have hundreds of different accounts across the internet—it’s impossible for any mere mortal to actually follow all those rules to the letter without a password manager.