In software development, it’s inevitable that you’ll want to outsource some work. Especially as you grow. You might need a pesky plugin altered, or you need help with an enterprise-level software integration. At some point, you’ll need to share password access with an off-site contractor. What’s the safest way to do that?
Let me tell you a quick story about an agency I’d contracted to help with the deployment of an application. This was a significant project, and we had contractors with us from the start. One morning, I logged into my computer to find an email from one of the contractors that included an image. The image was a screen capture of a server address and an admin-level username & password. These days, I hope it’s universally understood that there are three things you never send in an unencrypted email:
- Credit card information.
- Social security numbers.
I immediately called him on the phone. He was mortified about what had happened. But what concerned me the most was what he had said during the conversation. “I just forwarded it along as it was from my team member.” Which meant it had circulated around his office before I’d ever gotten it.
Implications of a password incident
The information security industry has set criteria that help determine a security issue’s severity which include:
- Was there an actual security breach because of the leaked credentials?
- Who has possession of the information?
Knowing this information helps shape the path to contain and remediate the incident. In my case, our two companies contained information between us. We were fortunate. The potential business implications of a significant security breach are nightmares. Had there been a legitimate breach, it would have exposed sensitive client and employee data. It would have revealed financial information. It could have led to theft of social security numbers. And, depending on your industry, this could have made the local or national news.
You might also like: Email Marketing Basics
Remediating a security incident
Your first step will always be to put together your IT team. The sooner you can communicate the issue, the better your outcome will be. Too often, people will (understandably) be reactionary. Take a moment to recount where you stand, and make sure all the key players are at the table. Then, you can put together an effective plan to move forward. This would generally include:
- Block access to the compromised system, change passwords, and begin an audit of the server logs.
- Notify the contractor. If they have a security team, have them work with your IT department to effect any needed changes. If they are at fault, they will probably not charge you for this work.
- Clean up the trail. Mail doesn’t just live in your inbox. The message lives on email servers in your environment and the contractor’s. Make sure to delete the email from all email clients and servers on both sides.
- Develop a plan with the contractor for future communications that involve passwords.
- If you’re not comfortable having the person who sent the email on the project, ask to have them replaced. This may cause delays in the timeline, but it’s worth it. You have to be comfortable with the people who have access to your most sensitive business data.
Preventing credentials leakage can prove to be less expensive than treating a security incident. If you are using a mobile device management tool, make sure to disable the screen capture option on the users’ BYOD (Bring Your Own Device) or COPE (Corporate-Owned, Personally Enabled) devices.
How to send passwords safely
Advance planning could have prevented this incident. It’s important to lay out the ground rules before the job starts. When it comes to the secure communication of passwords, you have a few options.
- Communicate passwords verbally, either in person or over the phone.
- Communicate passwords through encrypted emails. Sending passwords via unencrypted emails is never recommended. There are some great open source tools for encrypting your email. It requires a little initial setup and configuration. But, it’s worth it for long term relationships. Check out tools like Enigmail.
- Send passwords in a password vault file such as KeePass. This application lets you to store usernames, passwords, addresses and notes in a single file. Which happens to be both encrypted and password protected. Then, communicate the password to the vault by one of the above methods.
To make this effective all around, you’ll want to start with a strong foundation. When you start talking to potential contractors, ask them how they handle password storage and communication. Build those restrictions into your contract. Create strong passwords from the start. The 16 character combination of upper and lower case letters, numbers, and symbols will be your most secure.
Ready? Set… secure!
Are you confident about how your business handles its passwords? With advance planning, you can prevent huge headaches and foster a good business relationship. If you have an IT Team, ask them how you currently store and communicate passwords. If they don’t have a policy in place, that’s okay. But, make sure it’s something they develop before you hire outside contractors. Do you have any questions? Have you used other sharing strategies or password vault apps? Share them below!