How to evaluate a password management solution for business
Password managers are one of the most powerful defenses against breaches, which can cause massive damage and be incredibly expensive to mitigate. According to the Ponemon Institutes’ 2019 Password and Authentication Security Behaviors Report, 51% of respondents experienced a phishing attack in their personal life and 44% experienced a phishing attack while at work.
Shockingly, 57% of these victims did not change their password behaviors. That’s why every company, regardless of size, should consider implementing a password manager to ensure company security.
When businesses invest in a password manager, they are encouraging employees to practice healthy password habits and easing the process of securely sharing passwords. It is much less costly to prevent data breaches by layering security measures with tools such as a password manager and SSO solution than it is to clean up after one occurs.
If a business is considering rolling out a password manager, there are a few things to consider when evaluating the options.
Security: buy versus build
Often, company executives view building a proprietary password manager as more secure than trusting sensitive data to third-party providers. For the majority of companies, the cost and risks do not outweigh the benefits.
Dedicated password management providers have entire teams solely focused on security. Any reputable company is subject to regular audits. Most enterprises do not have the resources to devote this kind of 24/7 protection to their password managers. Hackers know this, which is why these kinds of custom, in-house programs can make companies an even bigger target.
If a business can match the industry standard for security with its own password manager, then security-wise, a custom build solution could be a viable option. Otherwise, enterprises should invest in a third-party solution.
A business password manager should be easy for employees to use. Many think of usability as a secondary concern, but if the password manager isn’t well-designed and easy to use, then employees won’t use it properly or at all. The solution should integrate seamlessly into their workflow, and hopefully, make their jobs even easier.
Accessibility goes hand in hand with usability. The chosen solution should be available across all employees’ devices, whether for work or personal use. Encouraging workers to form good password habits in their day-to-day life increases the likelihood that they will bring that mentality to the workplace as well.
Employees should be able to easily add or migrate existing passwords to the password manager without any hassles or fuss. What’s more, the password manager should have the ability to capture passwords on-the-fly as employees are going about their work.
Furthermore, password managers can be very effective when coupled with SSO. Single sign-on can be time-consuming and expensive to roll out, but it is an excellent way to protect companies from cyberattacks. Pairing SSO with a password manager, which should be easy and quick to deploy, is a smart way for businesses to protect their most important data and their customers’ as well.
A business’s password manager of choice should fit effortlessly into an existing security framework. Many password managers allow businesses to provision employees using the services they have in place, such as Okta or Active Directory.
Consider the following questions: will different teams be able to store their passwords successfully? Can passwords be stored in separate locations or groups within the password manager? Administrators should be able to control who has access to internal materials, and determine which credentials should only be available to a select few.
These advanced features and permission controls can make scaling from 10 employees to 100 or 1,000 much less difficult and time-consuming. If a password manager does not provide these kinds of fine-tuned permission controls and reporting, then scaling the solution will be cumbersome and unwieldy.
Once a company has narrowed down its search based on security and usability, the team should evaluate the password management solution for the specific features they need. For instance, enterprise accounts should come with premium support, so in-house IT departments can feel confident in referring employees to the provider’s support staff knowing they will get a timely response and meaningful outcomes.
Today’s global workforce adds numerous and continuously expanding challenges. Companies need to make sure the password manager they select is offered in the languages their employees speak. Businesses should also check whether the password manager retains previous versions of passwords. Additionally, most companies are encouraging or strictly implementing two-factor authentication, so it is important to note that some password managers can act as authenticators.
If IT departments want to improve a company’s security with minimum fuss, then rolling out a password manager is a great way to accomplish that. However, if businesses prefer to build their own, they should evaluate the scope of work and make sure they have the money, time and resources to match the industry standard in security and usability. Either way, a password manager is a smart investment in any company’s secure future.