Products Solutions Services Industries Meet ValGenesis
Schedule a Demo

ValGenesis Blog

Managing Cybersecurity in a SaaS Environment: 3 Tips for Life Sciences Companies

Blog Home | Published: May 9, 2019

You may be wondering why SaaS is specified in a blog post about data security. After all, isn’t data security the same regardless of the environment or platform used? The short answer to that question is, “Yes, it can be.” However, in a SaaS environment, restricting system access and maintaining data security often begins and ends with the actions and behaviors of company personnel.

While implementing infrastructure security measures like firewalls and antivirus software is undoubtedly helpful, these measures can be (and very often are) rendered entirely ineffective by the careless actions of human beings (or, in some cases, the intentional acts of disgruntled employees). When it comes to cybersecurity in a SaaS environment, protecting your data begins with how well your organization has implemented policies regarding how login credentials are managed and maintained and ends with how well (or how poorly) employees adhere to those policies.

Without clear and strict password policies that are correctly followed and enforced, your organization is at risk of a catastrophic (but avoidable) data breach. This happened when Edward Snowden blew the whistle on the United States National Security Agency (NSA) in 2013.

How to avoid a Snowden-like security breach

In 2014, Wired magazine dubbed Edward Snowden “the most wanted man in the world" after he used his computer intelligence skills to “steal NSA passwords” and was thereby able to infiltrate the agency's classified data network.1

In truth, descriptions of what Snowden did are often wildly inaccurate and misleading. Was he a skilled hacker? Certainly, but he didn't have to use his advanced hacking skills to accomplish his data breach.2 And it is important to note that Snowden denied "stealing" or "tricking" his coworker into giving up their passwords and login information. 

Of course, he must have obtained them somehow. But how does one get an NSA agent’s password if not by stealing it? What ingenious tactic did Snowden use to gain almost total access to one of the most classified data systems in the world? He made a bunch of phone calls to NSA agents and asked for their passwords — that’s it. Seriously. As impossible (and scary) as that seems, it's the absolute truth. Snowden called multiple NSA agents and told them he needed their login credentials to do his job as a system admin and data analyst contractor. At least 20 agents voluntarily provided him with those details.3

These were skilled intelligence professionals and trained government agents, yet, they gave up their passwords and login credentials to one of the world's most secure, sensitive data archives, over the telephone, without a second thought. The Snowden breach is a strong example of what can happen when an organization fails to implement and enforce (in writing) a password management policy. 

Follow these 3 simple practices for increased password security 

In truth, password security (and, in turn, network/data security) is not complicated. It is far less complicated than dealing with the aftermath of an unauthorized data breach. Your organization’s password policies should include three simple practices to avoid exposing confidential or protected company information.

#1 Create a unique password 

Many people find it challenging to create unique, strong passwords. Consider this: from 2013 to 2018, “123456” was the most used password for the fifth year in a row.4 Time and again, system admins and cybersecurity experts have warned us that this is the worst possible password anyone could use — yet people continue to use it. Any would-be infiltrator attempting to guess a password always starts with “123456.” So please do not use it, and tell your employees not to use it.

At the end of each year, many cybersecurity firms publish a list of the 25 most used (and most compromised) passwords. Share one or more of these lists with your employees, with instructions not to use any password listed.

Another big issue with password creation is using names — names of children, pets, spouses, celebrities, cities, etc. It's easy for a hacker or fraudster to identify the name of someone’s child or pet using social media. Therefore, please do not use names as passwords.

Now that we have covered what you shouldn't do let’s discuss what you should do. Many organizations establish complicated password rules/requirements standards, forcing employees to create passwords that contain a number, a symbol, different letter cases, etc. While these requirements can be helpful, they don't guarantee that users will create unique passwords. For Example, “P@55word” meets the standard of nearly all those requirements. However, it is still a variation of “password,” which usually occupies the number two spot on the aforementioned most-used password lists.

So, what should you do?

Make up a nonsense word that only you would know (e.g., “cabobble”/C@b0bbl3), or make up a  question, riddle, or joke and create a unique password that answers it (e.g., “What happens when a car meets another car?” aCr@$h/”a crash”). It should go without saying, but I'll say it: Do not use the examples that were just given!

For those who still struggle to invent unique passwords (or don’t want to), free online password generators can provide a strong password that meets almost any criteria.

#2 Prohibit password sharing 

Even the most robust password, no matter how unique, becomes useless the moment you share it. It's essential that any password policy clearly states that sharing login credentials is strictly prohibited and could result in disciplinary action or even termination of employment. This may appear extreme but consider the following scenario:

A terminated employee becomes disgruntled and wishes to do damage to the organization. His login credentials have been disabled or deleted from the system. However, he knows the login credentials of a former coworker still employed at the company. The disgruntled employee can fraudulently access the system and delete, manipulate, or corrupt critical files. DO NOT SHARE PASSWORDS.

#3 Enforce regular password changes 

Generally, a password becomes less secure the longer it's in use. Therefore, at minimum, any secure network should require its users to change their passwords every six months. However, requiring a password change every ninety days is preferred. It is also important to set restrictions that prevent employees from reusing passwords too often. Otherwise, they'll simply switch back and forth between two or three familiar passwords.

Some debate whether regular password changes are still a good idea. They claim that choosing a strong, unique, or randomly generated password and sticking with it has been far more effective. Others argue that even the most secure password can become compromised and that changing passwords is the only way to minimize this risk. It’s best to choose the strategy that best serves your environment.

Password security is any SaaS environment’s first defense against an intrusion or data breach. Following these three simple guidelines will help keep your organization’s data secure and significantly reduce the odds of a costly and potentially catastrophic data breach.

Data security is paramount for life sciences companies, which is why our cloud-based solutions are hosted using the most advanced and secure data infrastructure available.  Learn more about our safety and security features.

Sources

1. J. Bamford, "The Most Wanted Man in the World," Wired.com, August 2014.

 2. CNN Editorial Research, "Edward Snowden Fast Facts," CNN.com, June 3, 2022 (updated)

3. M. Hosenball and W. Strobel, "Exclusive: Snowden Persuaded Other NSA Workers to Give Up Passwords," Reuters.com, November 7, 2013. 

4. L. Abrams, "123456 Is the Most Used Password for the 5th Year in a Row," Bleepingcomputer.com, December 14, 2018. 

 

 

 

Summary

In a SaaS environment, data security often begins and ends with the actions and behaviors of company employees. Here are 3 tips to avoid a breach.