This guest blog post is provided by the Office of the Privacy Commissioner (OPC) whose mission is to protect and promote the privacy rights of individuals.

Tips for mitigating password reuse risk

Every organization subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) is required to ensure that personal information is protected by security safeguards appropriate to the sensitivity of the information. Depending on your circumstances, you may well need more protection against unauthorized access than just your customers' and employees' passwords.

Risk to your business

For businesses, password reuse presents risks to you and your customers/users in two ways:

  • If your business provides customer accounts with login credentials: In this case, if your customers/users reuse a password that has been compromised from another site, attackers could gain access to individual customer accounts.
  • If your employees have reused their work account password elsewhere: In this case, attackers could gain access to your business's entire network.

How to mitigate this risk

There are a range of security measures that businesses of any size can implement to mitigate the risk from employees or customers re-using their passwords. Businesses may also want to consider signing-up to receive alerts, bulletins or newsletters on cyber threats, either general or specific to your industry. Also consider sharing your own experiences with other businesses in your community or industry — forewarned is forearmed!

Mitigating risks of password reuse by employees

An employee's password should not be your business' only line of defense against online intruders.

  • Change Reused Passwords: Strongly encourage your employees to change their work passwords if they have ever used that password elsewhere.
  • Secure Access: If employees can access their work accounts remotely, there are ways you can control access to reduce your cyber-risk while still meeting your operational needs. For instance, you could:
    • Allow remote logins only from trusted IP addresses
    • Use a Virtual Private Network (VPN)
    • Require additional security questions
    • Require Multi-Factor Authentication (strongly recommended for employees with administrative privileges)
  • Monitor: Monitoring employee account log-ins for unusual patterns is a key protection against employee password reuse risk. Some of the dangers from cyber-attacks occur when unusual patterns of access — like repeated logins in the middle of the night, or logins from IP addresses in other countries — go unnoticed.

For more information, visit the OPC's website.