How to do IT security when employing interns
Interns and freelancers are often important components in your own company. However, some may not be as confident in dealing with IT services. This can be due to lack of training or simply a lack of interest, mostly due to the short period of employment, but for you this can become a problem. In addition, there is the question of whether every intern should have access to all passwords, because that's what it usually comes down to.
This blog will give you tips on how to make your company's IT more secure. This includes the onboarding and approval of interns, the accessibility and storage of passwords, general password rules for the workplace and finally an alternative solution for your company.
When it comes to onboarding, one thing is particularly important: which accesses does the new intern actually need? In case of doubt, the intern should only get the accesses that is really important for his/her own work.
Due to the usually short period of employment, the sense for IT security is not very pronounced, so that simple use takes precedence with the passwords. This leads to weak passwords that criminals can easily hack to gain access to your company.
If interns and employees only have access to the accounts they really need, this can directly limit the damage in the event of an actual security incident.
General password rules
An important factor in managing passwords and their security is how they are created: passwords should be secure, but they must also be memorable and easy to enter by users in their everyday work. The more software is used in your company, the more difficult this becomes. As a general rule, it is recommended to use at least 16 characters, not to use names or personal data, and not to use only one type of character. This protects against brute force attacks from the outside and the guessing of passwords by criminals who have access to employees' personal data and information, for example via social media.
Modern companies use a lot of software, so many different passwords are needed. Most often, things are used for managing passwords that have already been purchased anyway: often used by employees is the Post-It on the screen, on which the passwords are written. Effective security methods and access control is not being followed here. Then there is the famous password sheet in Excel, with all its advantages and disadvantages. Advantages are the free availability, since the software was usually already purchased for something else, as well as the reliable operation of all employees who have to deal with it every day anyway. Disadvantages are the lack of synchronization (even partly true if the file is in the cloud), the accessibility for all employees (everyone can see everything) and the easy copying. This is where security software comes in handy; you'll find more details later in the article.
At some point, every internship and every project comes to an end, but when the interns and freelancers leave the company, there is usually no control over which passwords are taken with them.
Especially with Post-Its and Excel files, you have no control over which passwords may no longer be secure. There are only two options for you: change all passwords or hope that nothing untoward happens.
It is also important to delete old accounts if they are no longer needed. Old accounts of ex-employees are popular gateways for criminals.
What you can do
All of these problems have one thing in common: you have no control over how your employees handle software accounts. You can't really be sure about the security or number of passwords, and you can't be sure that everyone in the company is using a certain level of password hygiene.
Our tips to make your company more secure:
- implement password rules - passwords should always be of a certain length and complexity. There are variations that are still easy to remember. There are many different approaches to this on the Internet, here for example is the BSI recommendation.
- Do not use passwords more than once - If an account is hacked, whether by you or the provider, the password is no longer secure. If the password is used multiple times, the problem will be spread to multiple services. So rather one password per account.
- restrict access - each employee should have access only to the passwords that are really necessary for the work.
If you want to implement all this manually, then the process will be quite time-consuming. That's why a software solution is recommended, especially for companies.
Everything I have listed so far is not only connected with various uncertainties, risks and missing control functions for yourself, but it is also incredibly exhausting for you and your employees. They are indirectly responsible for the IT security in your company without being trained or interested in it.
A password manager is an easy way to solve these problems, and there are both free but complicated and cloud-based solutions with a low barrier to entry. The best example of the latter is heylogin:
- Unlike the competition, heylogin works completely without a master password, thanks to hardware encryption via smartphone. With this, your employees really don't have to remember any password at all.
- Passwords are generated automatically and when opening the service in the browser, you can log in with one click, the user and password are filled in automatically.
- Access data can be securely shared within the team, thanks to access rights you have full control over who can see the passwords.
And it all works really fast - on-boarding or off-boarding employees with just a few clicks, sharing accesses via drag & drop and easily adding team members, all in real time, without long waits. All this not only makes your IT more secure, but also saves time.