Is the password manager you've been using for your personal accounts, good enough to be your password management solution for business? That's the topic before us today. This topic is courtesy of the past dozen-or-so small business owners who have asked us this question recently.
It's a fair question. After all, the password manager you use personally, has the ability to encrypt, store, and retrieve passwords. It has multifactor authentication (I hope). It has a browser extension that uses convenience as a carrot to encourage use. It has a random password generator. It has a sharing feature. So, what's not to love about using that password keeper for your business?
Truth be told, it might have everything you need -- but before you jump to that conclusion, let's discuss the password management essentials that you should expect (demand?) from any password management solution that you consider using for business.
We're going to point out the obvious here, to make sure it gets it's rightful place as #1 on the list of password management features that you'll need for business use. When you have an unexpected parting of ways with an employee, you need the ability to lock the account of the passwords they have/had access to.
This is not intended to sound harsh; it's simple risk management. When you terminate an employee -- or an employee resigns -- you need to be in a routine of disabling access to company passwords. Simple enough? We think so, but if you are in a situation where each person in the company signed up for an "individual" plan on a password manager of their choice, you might have just landed in deep trouble. Unaffiliated consumer-grade accounts held by the now-departed employee, won't be within your reach. Don't put yourself in that situation: get an enterprise-grade password manager wherein you are the administrator and have the ability to quickly/easily disable account access if the need arises.
Ever have an employee that somehow loses their ability to use their normal MFA? For example, they change phone numbers and forget to transfer over their SMS MFA settings first? Or, they leave their phone at home, but urgently need access to some protected resource without the benefit of their normal MFA application?
It happens. And by having a playbook for how to handle that situation, you prevent a situation where employees willfully try to avoid using MFA for fear of the inconvenience that occurs in these situations.
By using an enterprise-grade password keeper, you as an administrator should have the ability to momentarily disable MFA when an employee needs to briefly access the account to set up a new form of MFA (perhaps transitioning from SMS-based MFA to the Google Authenticator app). You'll "save the day" by making it easy for an employee to navigate what might otherwise have been an incredibly inconvenient day.
Resist the urge to tune out, here. This is a real situation. Suppose that you receive notification (via Havoc Shield, if you are a customer) that some of your employees have been found in a recent dark web breach. Suppose further that upon discussing it with the particular employees, one of them sheepishly admits that their master password is also a password that they occasionally use on 3rd party websites. You will want immediate ability to force-expire their master password from the password keeper. Even if you are a half a world away from them. Even if they are not tech-savvy and are having trouble figuring out how to disable or change their own master password. You want immediate control, and it's essential to ensuring that one dark web breach database doesn't turn into a much bigger problem for you and the company. The ability to force-expire the master password of any users in your company, is an essential feature of any enterprise-grade password management tool.
We've been around long enough to know that if there is one sure thing about small businesses, it's that the unexpected has a knack for happening. Suppose you find yourself on either the buying side or the selling side of an acquisition. Or in a merger. Or in an asset sale or acquisition that involves a distressed entity. Even client's of ours that initially indicate that they have no intention of being a part of such a business transaction, have found themselves in exactly that type of situation. Password management tools that have a capability of transferring accounts, can be a life-saver when trying to figure out how to reduce the operational friction in what no doubt turns out to be an incredibly hectic time for the business.
As an operator in a small business, you have a set of responsibilities that extends far beyond your personal wellbeing. You have a set of employees that rely on you and the company to maintain a level of cybersecurity that ensures that the entity is able to continue on without missing a beat, in the above all-too-frequent situations. Don't make the mistake of believing that your consumer-grade password management tool is adequate: make sure that you obtain an enterprise-grade solution that ensures that your password management capabilities are suitable for guarding the business that you've worked so hard to build.
At Havoc Shield, we love Keeper Security -- their password manager is incorporated into our solution as a benefit of our platform. Havoc Shield users that don't yet have the Keeper Security benefit enabled -- what are you waiting for? And, if you don't yet have a Havoc Shield account, join us for our all-in-one cybersecurity platform that includes endpoint security, password management, penetration tests, cybersecurity awareness training, phishing protection, lookalike domain monitoring, and more.