Forgot password?


3 policies to consider this World Password Day

Today is World Password Day and while last year we detailed how to make your password policy as secure as possible, this year we’re highlighting the other policies that need to be in place to support your security and business continuity strategies. Passwords are incredibly important as a first line of defence and will continue to be a mainstay of our digital lives for a while. Yet without policies around devices, data and emails to support good password hygiene, a security posture will struggle to succeed. 

Password policy 

According to the latest Cyber Security Breaches report from UK government, 75% of businesses and 57% of charities have a password policy in place to ensure that users set strong passwords – making it one of the most frequently deployed rules/controls within a cybersecurity posture. A password policy should include strict guidelines on how often a team should change their password – ideally at least once every three months – as well as regulations on the length of the password. In fact, passphrases are becoming increasingly popular and are far more difficult for hackers to crack than the traditional one or two words.  

BYOD policy 

BYOD (Bring Your Own Device) is definitely the way forward. From a business perspective, it has allowed organisations to continue running productively in one of the most challenging times UK industry has faced. However, from a security angle there are some complications. 

Introducing a BYOD strategy could mean that an organisation begins to lose full ownership over its IT environment. A policy to manage the security challenges therefore needs to implement technical controls to dictate and mandate how a device is being used e.g., if an employee accesses certain types of data, the company has the permission to delete or remove this information through mobile device management or application device management. Alternatively, organisations can leverage a VDI (Virtual Desktop Interface) environment wherein a personal laptop becomes the dumb terminal that can access a condensed and secure virtual workspace through a cloud gateway. However, there is not a one-size fits all BYOD policy. What works for one organisation may be entirely un-secure and un-productive for another and this is down to its network architecture. 

‘OOO’ policy 

The recent cyberattack against the online retailer Funky Pigeon demonstrates that the retail sector has a big target on its back. Yet it is the timing of this breach that is particularly interesting: targeted ahead of the four-day Easter weekend, when fewer staff will have been working and therefore less likely to detect and respond to the attack. 

Looking ahead to summer, when ‘Out of Offices’ (OOO) are more frequent, organisations should be looking with greater urgency to implement proactive security measures to protect themselves. An ‘OOO’ policy should include advice around avoiding sharing any personal details in an automatic email, avoiding disclosing an end-date that would imply the length of the holiday and changing the message depending on the recipient (internal vs. external). Any potential threat actors will therefore have less information to use to their advantage if they try to strike during the holiday period.  

Back-up policy 

Data back-ups have traditionally been fundamental for business continuity. Yet, with over 620 million ransomware attacks detected in 2021, they are becoming less effective in the fight against cybercrime. There are various reasons for this, most crucial of which is that back-ups do not actually protect an organisation from being breached – they simply reduce the impact when it occurs by providing a recovery strategy. Organisations also rarely optimise their back-up policy, with research finding that less than half are backing up daily. And when procedures are followed, it is important businesses understand that even encrypted data back-ups can still be extorted and held to ransom by hackers. It is important that back-up policies acknowledge the issues with leveraging this technique for security purposes, and ensure that while regular back-ups are essential, this solution is for recovery post-attack rather than an initial defence against cybercrime. 

To stay on top of the various policies and technical controls integral to protecting and restoring your business, organisations can benefit from working with a certified security partner. This means having access to greater expertise and resources, as well as drawing on the aggregate value of cyber professionals with extensive knowledge of the threatscape. For support with your cyber security policies, get in touch with DigitalXRAID today. 

Cyber Security Experts

Accredited and regulated, we're in the top 1% of cyber security agencies globally

Crown Commercial Service Supplier Cyber Essentials Plus ISO 27001 BSI ISO 9001 CHECK NCSC Cyber Incident Response CREST

We’re trusted by the UK Government as Crown Commercial Service providers as well as being accredited by two of the leading cyber security governing bodies. Our ISO9001 certification means you can rest assured our processes and approach are market leading.

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert


Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]