Tag Archives: passwords

The Softer Side Of Security

This article was first published on the NTEN Blog in April of 2010.

As the technical staff at our nonprofits, we wrestle with all sorts of complex security concepts: firewalls, encryption, network address translation.

But here are three quick questions:

  • Would you spend $10,000 on a security system for your building, and then set the access code to “12345”?
  • Would you set the administrative account name and password to your network to the same thing that five other companies in your building use?
  • Would you allow an outside vendor to manage your network without sharing the passwords with you or anyone else at your organizations?

I’ve seen all three of these situations occur, the first two at commercial law firms, the latter at a large nonprofit [disclaimer: not the one I work for now!]. There are some infamous and true stories of clever hacking that played on the human side of security, such as the teenagers who took a couple of clipboards and interviewed people in the lobby of a large office building under the guise of a school project, in the process collecting birthdays; kids, spouses and pets names; street addresses — all things people commonly use as the base for their network passwords.

But all of the sophisticated systems in the world offer little more than a swiss cheese defense if we don’t have good organizational policies to address the human side of security. And even that’s a little tricky, as policies that are too complex for staff to easily comply with will be subverted in ways that open more security holes.

A sustainable password policy requires that passwords be:

  • Of a decent length (7-15 characters);
  • Comprised of a mix of letters, numbers, and/or additional characters, preferably with mixed case; and
  • Not be based on data that can easily be associated with the user, such as kids names or the TV show that they often discuss online.
  • They should also n ot be so obscure (as in “6T5re#bb77l”) that they can’t be easily memorized — that’s a recipe for password post-its!

In addition to maintaining a secure password policy (and enforcing it with network policy automation), staff should be resourced with tools to manage passwords.

There are numerous free or inexpensive applications and services that offer encrypted, password-protected storage for the collection of passwords. Looking for the ones that synchronize to a mobile app will add additional convenience.

From the management level, a best practice is for the lead in IT to print all passwords, seal them in an envelope, and give it to the CEO or HR executive at the organization, repeating (with secure destruction of the outdated list) as passwords change. Twice in my career as a CIO/IT Director, I’ve walked into situations where my predecessors left mad, and took all of the system password information with them, leaving me, initially, unable to manage the networks that I’d been hired to oversee. Don’t put your nonprofits work at risk by omitting this type of failsafe.

All of the port blocking, proxy servers and point to point tunneling on earth won’t protect you from the person who clicks on a malicious link in an email. Only education, communication, and support will address those security holes, and no security plan can be considered valid if it doesn’t incorporate policies along with the technical protection.

Keys to the Kingdom

This post was originally posted on the Idealware Blog in December of 2008.

Being a career nonprofit IT type, I’ve repeatedly had the unpleasant experience of walking into a new job, only to find that critical information, such as software licenses and server passwords, are nowhere to be found. So before I can start to manage a new network, I have to hack it. This sort of thing happens in other industries as well, but it strikes me as something that plagues nonprofits. On one extreme, we might have staff who become bitter and malicious as they depart, destroying records and withholding passwords. But even if the situation isn’t that dramatic, keeping track of sensitive, critical data is a bit tedious, and concerns about security and confidentiality make it additionally complex. Protecting and keeping this information available to the staff that need it can save a lot of time, money and frustration. Here are some suggestions:

Follow procedures: in tight budget and staffing conditions, the approach to IT management is often reactive and chaotic. Many key NPO IT Managers came into the role as “accidental techies”, which implies that many nonprofits only support technology by accident. In an environment where the Office Manager, Donations Clerk or a volunteer ends up deploying the servers and installing applications, it’s a safe assumption that there aren’t well-crafted IT policies in place. In this environment, losing critical passwords — or even failing to ever write them down — can be a regular occurrence.

Involve all stakeholders:Don’t assume that your It staff – who are already struggling to juggle the big projects with user support — are keeping good records. Audit them, assist them and back them up. Finance can take a role in tracking license keys along with purchase records. And far too many nonprofit executives don’t even ask for the system passwords. There is no good reason – no matter how many a tech might come up with – why the CEO or head of security shouldn’t keep an updated, sealed envelope with key passwords in the safe in case of sudden turnover or emergency. I’ve worked with a lot of techies who would scream about this. “The CEO can’t have the password! They’ll delete files! They’ll mess it all up!” Well, the CEO shouldn’t use the password. But they should definitely have it.

Foster a culture that allows technology staff to succeed: in two of my personal cases, the staff before me had left en masse and bitterly. They took the main network password with them and wiped out a lot of the IT records. Clearly, this is immature and unprofessional behavior. I wouldn’t think to defend it. But the circumstances that lead some immature techs to be resentful and abusive can be fostered by certain work conditions. If you are a nonprofit executive, there are some things that you can do to create an environment that is less conducive to bitterness and abuse.

  • Have realistic expectations for IT. If you don’t know how easy or hard it is to, say, upgrade a server or roll out a CRM system, don’t make assumptions. Hire a consultant, get a sense of what’s required, and adjust your expectations accordingly.
  • Participate. Have all staff participate in technology planning and adoption. There are people who install systems and there are people who use them. The installation has to be a joint process. Techs can not be held accountable for determining user’s needs, and users can not be solely responsible for evaluating technology. Whenever IT buys the system without user input, or users pick a system without technical oversight, the relationship between IT and staff becomes strained. Joint responsibility and accountability for system choices is required for a healthy environment.
  • Be appreciative. Tech support can be a very thankless job, and the smaller the staff and budget, the less rewarding. When your computer stalls or malfunctions, it can be frustrating. Even if you, personally, don’t take that frustration out on the tech who comes to fix it, are the rest of your co-workers that patient?
  • Don’t hire extremes. When hiring technical staff, assess their people skills. Make sure that their focus is on how technology supports the org, not strictly on the technology. At the same time, assess the non-IT staff for their technical skills, and hire people who are competent and appreciative of technology. We are long, long past the day when all computer support and expertise could be delegated to the IT Department.

It boils down to organizational culture and priorities. The hectic, resource-strained environments that many of us work in aren’t conducive to good record-keeping habits. This problem is bolstered by the general case where upper management is, for various reasons, ranging from misplaced faith to technophobia, not thinking of IT as a keeper of critical organizational records. But the truth is that a failure to keep it all written down is inevitably going to cost you, in dollars and productivity. The best solutions are holistic – create a culture where accountability for organizational assets is clear to all and shared by all, and, in particular, understand enough about the technical demands put on your IT staff – accidental and otherwise – to allow them to prioritize the small stuff along with all of the big projects and constant fires they put out.