A troubling study revealed the classic password “password” reigns supreme for HR departments. Without changes, this habit can lead to information theft and cybersecurity breaches. The news is a reminder to brush up on best password practices to increase cybersecurity hygiene in these departments with highly sensitive information.

Studies Prove HR Needs to Learn Best Password Practices

Cybersecurity professionals at NordPass looked at Fortune 500 companies and discovered many weren’t abiding by password best practices. “Password” and “password” littered the findings as the tenth and first most used, respectively. Other noteworthy mentions are “123456” in sixth place and variations of the company’s name.

These passwords don’t require advanced hacking tactics to initiate a potentially company-destroying cyber attack operation. Anyone — regardless of skill level — could guess these passwords.

HR departments ranked highest at a 31% unique password percentile (UPP) alongside a jaw-dropping 104,000 breaches. It is the most defended industry in the study, even among IT, aerospace and financial services — industries customers would anticipate would have better metrics. But despite HR’s UPP ranking above other sectors, it doesn’t mean the sector is safe.

The percentage is a low number — especially when the value of data rises exponentially every year, enticing cybercriminals to use more vicious and creative tactics than ever. Everyone from small businesses to governments are updating their practices.

Before, people thought enough cyber defenses would do the job. In reality, criminals adapt quickly to even the most high-test, secure defense methods from the world’s leading professionals — even the Pentagon was hacked in 2018, compromising personal data of tens of thousands of government workers. Organizations now must expect a cyberattack to happen; it’s foolish to simply hope it won’t.

Though it doesn’t have a high UPP, HR is still the current leader, and it should continue this trend of doubling down on security. Human resources can remain an industry forerunner in best password practices by amplifying efforts with internal education and technological aids.

Strong Passwords Are a Must for HR Departments

Here is why hard-to-crack passwords are so crucial to HR teams. Cyberattacks are more frequent and catastrophic, as seen by regulatory bodies scrambling to create digital protection benchmarks and standards. Digital transformation occurs across all sectors as businesses crave more efficient operations. Tech and automation are some of the pillars of market competitors and seamless procedures.

However, these installations create a more prominent digital surface area for threat actors. Additionally, increased data collection and managed data storage practices incentivize criminals to target companies with personal identifiable information (PII) floating in their digital housing. HR departments have everything from health insurance information to social security numbers.

These are some of the consequences HR departments could incur with continued weak password use and nonexistent security services:

• Malware installations on employee devices
• Identity theft from stolen PII
• Leaked credentials
• Ransomware expenses
• Financial compromises from stolen card information
• Job loss from unintentional or unknown account manipulation
• Reduced company reputation by the public
• Decreased employee trust

Although HR departments need this information for employees, they must understand the value of that data — figuratively and monetarily — and protect it with stronger passwords. They also assist IT departments in managing employee passwords outside their team, which stresses how much influence HR has over password hygiene. Their decisions and attentiveness are the cornerstones of their employees’ well-being inside and outside the organization’s walls.

Numerous employees within an HR department having the same password could pose another issue — insider threats. These come in a few flavors. External forces could use social engineering to manipulate, bribe or otherwise tempt employees to assist in a breach. An employee who knows everyone else’s passwords could frame another employee as the entry point for a breach. Or, insider threats could be self-motivated as they realize the gains HR data could yield.

Using Password Best Practices Will Protect Teams

HR departments are the backbone of a business, yet over 73% of Americans write passwords down in open spaces or rely on their memory for password storage. No matter where the threat comes from, it’s easy to see how freely malicious actors can walk into an HR system and grab what they want with little resistance.

HR departments must enforce best password practices to keep their organizations safe. The most comprehensive solution is more intentional internal training opportunities. Many employees outside the IT and cybersecurity niches don’t have formal cyber hygiene training or research it in their free time. Companies must fill these gaps by offering courses and seminars to instruct employees of all generations and backgrounds on the importance of password best practices.

Human error is the top cause of cybersecurity breaches, so training would curb most issues within HR departments and their employees. Compromised credentials were the source of 80% of breaches, and this is even more concerning as tech stacks increase and businesses transition to more cloud services and third parties. Other password best practices reveal how many avenues there are for password protection within HR departments:

• Shorten duration for forced password changes to 30-60 day intervals.
• Follow industry-recommended password requirements, like character length and variety.
• Install reputable password management software.
• Discourage password sharing and physically writing down passwords.
• Prevent password reuse among employees, including if they have multiple accounts — unique passwords for all.
• Practice data minimization to eliminate old employee accounts with potentially compromised or bad passwords.
• Use two-factor authentication to increase password strength with biometrics or SMS verification.

These suggestions compound in value the more strategies HR departments implement for their staff. Therefore, teams should dock up procedural documents to ensure consistent password protection across the organization. What happens if an employee is hacked? Who should manage the subsequent actions? How can HR learn from the experience?

HR teams can work with IT experts to hone in on approachable strategies for even the most tech-inexperienced workers while providing incremental updates as new tools and recommendations become available.

Change “Password” to Something Greater

Adding special characters and increasing password length could save companies countless financial and emotional stress. HR departments must help employees make stronger passwords while improving their habits. When businesses perform new studies about sector-wide password habits, HR could shine as a leader by implementing these simple solutions into their operations.