Questions You Should Ask Your IT: Passwords

Applying Cybersecurity best practices to Passwords with multi-factor authentication.

Holding Your IT Accountable for Passwords and Cybersecurity Best Practices.

Your IT person often tells you to change your password, use Multi-Factor Authentication (MFA), and avoid writing passwords on sticky notes. But have you ever wondered what their best practices are? Most business roles, like receptionist or office manager, don’t have much access to company data—not like your IT department.

Your IT team has top-level access to every server, router, folder, file, and program. They manage everything your company needs to operate. But what do they do with their passwords? Welcome to the first in our series, “Questions You Should Be Asking Your IT.”

Password Management in IT

As an IT system administrator with over 15 years of experience, I’ve seen it all. Some businesses have full IT departments, some have just one IT person, and others have someone handling IT who rebooted a router once. IT involves managing many passwords: computers, network devices, Wi-Fi, backups, email servers, Office365, Google, and more.

You’d think these passwords would be stored in a safe, encrypted password vault, but that’s not always the case. IT professionals can be bad at documenting passwords. I’ve been called in for emergencies, like when a company’s sole IT person passed away. I found all passwords—from user accounts to critical systems—stored in the Notes app on his iPhone, tied to a personal iCloud account, not managed by the business.

If I were you, I wouldn’t Google how often iCloud accounts have been hacked. It’s a reminder of why proper password management is important.

Questions to Ask Your IT Department About Passwords, Cybersecurity, and Multi-Factor Authentication

  1. How Often Do You Change Your Passwords?
    It’s common advice to change passwords often, but how often does your IT department follow this? For critical systems, IT should change passwords every 60 to 90 days. This lowers the risk of unauthorized access and ensures compromised credentials are quickly useless.
  2. What Password Management Tools Do You Use?
    Managing many passwords can be impossible without the right tools. Ask your IT team about their password management solutions. Industry standards like LastPass, Dashlane, or 1Password securely store passwords and help create complex, unique passwords for each system. You don’t want to hear that your company’s passwords are stored in personal accounts, web browsers, notebooks, or Excel sheets—anywhere not managed by the company. Passwords should always be stored in a safe, central place where the company can access and manage them, especially in emergencies. If passwords are in personal accounts, your company’s admin access could already be compromised and available on the dark web. Proper password management and documentation within company-controlled systems are crucial for security.
  3. How Do You Implement Multi-Factor Authentication (MFA)?
    Multi-Factor Authentication is crucial for security, but how does your IT department implement it? Do they use security keys, authenticator apps, or biometric solutions? Understanding their Multi-Factor Authentication approach can provide insights into best practices for protecting sensitive information. If they say they don’t have Multi-Factor Authentication set up because it’s “too hard to manage,” that’s a red flag. There’s always a way to implement Multi-Factor Authentication, and it is essential for securing systems. Relying only on SMS verification is also a concern, as SMS codes sent to personal phones can be easily intercepted. While SMS verification is better than nothing, it should be a last resort and tied to a company-managed number.
  4. What Measures Are Taken for Privileged Account Security?
    IT professionals have access to the most sensitive systems, so it’s vital to know how they secure their accounts. Do they use separate accounts for admin tasks? Are these accounts subject to stricter password policies and extra security measures? Privileged Access Management (PAM) solutions can monitor and control access to critical systems. Using the same username and password for everything is a sign of lazy IT practices and increases risk. One set of compromised credentials could provide access to everything. Think of your network as having multiple doors and levels; if one account opens every door to every floor, it’s a big security threat. Ensure robust privileged access management to protect your business.
  5. What Policies Are in Place for Former Employees?
    When an employee leaves, it’s critical to revoke their access promptly to prevent security breaches. Ask your IT team about their offboarding procedures. How quickly are passwords changed and accounts disabled? Effective offboarding policies are crucial for maintaining security and protecting company assets. When an IT person leaves, it’s not the same as a regular employee leaving where you simply disable their account. This individual had access to every confidential folder and file. They likely interacted with employees frequently and were given access to their passwords to fix issues. You must change every password on every machine, device, and user account. They know all the critical access points and credentials, leaving your company vulnerable if they decide to re-enter the network. Comprehensive security measures are essential to prevent unauthorized access and protect your company’s assets when an IT employee leaves.

Digital Boardwalk’s Approach

  1. How Often Do You Change Your Passwords?
    Digital Boardwalk automates password changes for systems we access for clients. Every computer has a unique 16+ character password that updates every 60 days without human intervention. Network infrastructure passwords and personal computer passwords follow the same routine.
  2. What Password Management Tools do you use?
    We use a secure, encrypted, company-managed platform designed for storing passwords and documentation, which requires Multi-Factor Authentication for access. Our cybersecurity policies restrict access to our vault to company computers or managed devices only, preventing engineers from copying these passwords into unauthorized programs or personal accounts.
  3. How do you implement MFA?
    At Digital Boardwalk, Multi-Factor Authentication is mandatory. Every login requires MFA, including logging into work issued computers. Every platform we use is protected by secure, personalized codes that change every minute, ensuring strong security. You can find more about our MFA in navigating to our Cybersecurity Services page.
  4. What measures are taken for Privileged Account security?
    Our cybersecurity team is alerted whenever a new account with elevated access is created or when there’s an attempt to access an admin account. We use different accounts for each computer, server, network device, and website, each enforced with MFA. This means we have separate accounts for each type of access, maintaining high security across all systems.
  5. What policies are in place for former employees?
    Our password vaults are accessible only from company-managed devices and can’t be copied to unmanaged devices. Despite this, we still change every password across our platforms instantly when an employee leaves. This includes passwords for routers, servers, websites, and more, ensuring there’s no delay. The moment an individual is no longer an employee, all relevant passwords are immediately updated.

Conclusion

Understanding the password practices of your IT department is crucial for your organization’s security. By asking these questions, you gain valuable insights into their strategies and emphasize the importance of robust cybersecurity measures and accountability throughout all departments. Stay tuned for more in our “Questions You Should Be Asking Your IT” series, where we’ll explore critical practices to keep your business safe and secure.

And remember, if you suspect your IT may be implementing “lazy IT practices” or you just need a second opinion on your IT operations, Let’s Chat.