These days safeguarding your business isn’t just about locking the doors at night—it’s about securing all the virtual gateways that protect your company’s most valuable assets. National Institute of Standards and Technology (NIST) has recently updated its guidelines on digital security, specifically around authentication to help organizations bolster their digital defences. Understanding these recommendations on passwords, multi-factor authentication (MFA), and identity and access management (IAM) is crucial for senior management and business owners aiming to protect their firms.
Passwords: From Complex to Memorable
Traditional wisdom has been to enforce complex password rules—requiring a mix of uppercase letters, numbers, and special characters, and prompting frequent changes. However, NIST’s latest guidance suggests a shift in this approach. Think of a password like a key to your office. A complex key with an intricate design isn’t necessarily more secure if it’s hard to use and easy to lose.
NIST now recommends longer, easy-to-remember passphrases over complicated passwords. For example, a sentence like “Maple Leafs might just win this year” is both lengthy and memorable, making it harder for bad guys to crack but easier for your staff to remember. This approach minimizes the frustration of forgotten passwords and the risky habit of writing them down or using the same password across multiple accounts.
Moreover, NIST advises against mandatory periodic password changes unless there is evidence of a breach. Frequent changes can lead to predictable patterns or staff resorting to simple, less secure passwords. For example, at one my previous engagements at a financial services firm we discovered staff using passwords like “Mysupersecurepassword1!” and “Complexpassword#2” etc. By allowing stable, strong passphrase, you can strongly improve security while enhancing user experience.
Multi-Factor Authentication: Double-Checking Access
Imagine entering a high-security building where, besides showing your ID card, you’re also required to provide a fingerprint scan. This two-step process ensures that even if someone steals your ID, they still can’t get access without your fingerprint. This is the essence of multi-factor authentication (MFA).
MFA adds an extra layer of security by requiring users to provide two or more verification factors to gain access to a system. Consequently, incorporating MFA significantly reduces the risk of unauthorized access. Common methods include something you know (a password), something you have (a mobile or security token), and something you are (biometric data like a fingerprint or face ID).
For instance, after entering a password, the user might have to acknowledge and approve the login on their mobile device to complete the process and get access. Even if a cybercriminal obtains the password, they can’t access the account without the second factor. Implementing MFA is like adding an additional lock to your digital door—one that only you can open.
MFA implementations range from the simplistic such as One Time Passwords (OTP) sent via SMS to your mobile to more secure such as Passwordless or Passkeys. Your business’s risk appetite should determine the road you take.
Identity and Access Management: Controlling the Keys to the Kingdom
Identity and Access Management (IAM) is like a vigilant security team that controls who gets into which areas of your company and what they can do once inside. Best practices emphasize the importance of a robust IAM system to manage digital identities throughout their lifecycle—from creation to retirement.
A proper IAM system ensures that staff have appropriate access based on their roles. For example, a new marketing intern likely does not need access to the finance team’s documents, just as a receptionist doesn’t need to modify the company’s website. By assigning permissions using Role Based Access Control (RBAC), you significantly minimize the risk of internal misuse and limit the damage if an account is compromised.
Onboarding and Off-boarding an employee is another critical time and requires deliberate processes. Just as you would collect office keys and revoke building access when someone leaves the company, you must quickly deactivate their digital credentials. Implementing automated workflows for these processes reduces the chances of oversight and enhances security.
Balancing Security with Usability
While strengthening security is important, it’s also essential to maintain a balance to make sure that protective measures don’t make the systems harder to use for your own staff. If security protocols are too cumbersome, staff will often find workarounds, resulting in new vulnerabilities and risk.
Imagine your business’s security like a well-designed airport. Passengers (your staff) move efficiently through checkpoints because the security measures are both effective and streamlined. They show their boarding passes and IDs, perhaps scan their fingerprints, but the process is smooth and makes sure they don’t miss their flight. The security is enough to prevent unauthorized access but user-friendly enough that they don’t frustrate legitimate travelers.
Similarly, your business should implement digital security measures that strike a balance between strong protection and ease of use. By making security practices intuitive and unobtrusive, you ensure that staff follow them consistently.
Investing in employee cyber awareness training is also critical. Educate your staff about the threat out there, your security processes and how these measures protect both them and the company. When staff understand the “why” behind the rules, they’re more likely to follow them and become an asset to your defences.
Protecting Privacy
In an era where data is as valuable as currency, protecting personal information isn’t just a compliance requirement—it’s a trust imperative. NIST’s guidelines stress the importance of collecting only the necessary data for authentication purposes and being transparent about how it’s used. Think of it as asking for identification at a security checkpoint without unnecessarily photocopying and storing a copy of someone’s driver’s license. By minimizing data collection, you reduce the risk associated with data breaches and build trust with your staff and customers.
Looking Ahead
Cybersecurity isn’t a one-time setup; it’s an ongoing process that requires vigilance and adaptability. Regularly reviewing and updating your security measures in line with best practices such as NIST’s recommendations ensures that your defences remain effective against new threats.
Engaging with cybersecurity professionals, investing in the right technologies, and fostering a culture of security awareness within your business are all critical steps. Just as you adapt your business strategies to market changes, so too should your security strategies evolve to address emerging risks.
Implementing current best practices on passwords, MFA, and IAM is more than a compliance exercise—it’s a strategic move to protect your business’s future. By adopting these practices, you safeguard your company’s assets, maintain customer trust, and ensure operational continuity.
Today; security is everyone’s responsibility, but it starts at the top. As business leaders, your commitment to effective security protocols sets the tone for the entire organization. By making informed decisions grounded in trusted guidelines like those from NIST, you’re not just reacting to today’s threats—you’re proactively preparing for tomorrow’s challenges.
Embrace these changes not as hurdles but as opportunities to strengthen your business. After all, in a world where cyber threats are constantly evolving, staying ahead is the key to staying secure.
