Don’t
be the
weakest
link
Don’t be the weakest link
Your password is our security
Your password is a link in the chain of our security system. The stronger your password, the stronger our security becomes against the threat of malicious attacks. They protect everything from your personal accounts to troves of sensitive business information. Countless online crooks are doing everything they can to break into these digital rooms and steal all the data gold. And they can do a lot.
So don’t cut corners with passwords. Cut the cybercrime instead: with an array of strong, unique and passwords that nobody will guess. And then keep them properly secret!
Just one guessable or compromised password (i.e. One that has been shared with others and/or discovered by third parties) can expose your company’s security and your personal information to a bunch of bad people with bad plans.
The good news is that we have simple, reliable ways to do stop all this happening – and add a bit of extra steel to our password swords.
Here are your tips to password peace of mind:
Make them long
The longer, the stronger. Criminals often use password-cracking software that can guess short passwords in minutes or even seconds, by generating huge numbers of guesses. So ensure each of your passwords is at least 8 characters long at a minimum, which makes the chance of it being cracked very remote. And be sure to include special characters – like !, @, or # – to make it even tougher to crack.
Don’t be a joker – be a riddler.
A fun way to outfox the crooks is by using a passphrase: a string of words that makes sense to only you, such as an obscure quote from your favourite book or movie. Then create a password-like code from that phrase, using letters, numbers and special characters. Passphrases should be easy for you to remember and hard for others to guess. For example: ‘jack and jill went up the hill to fetch a pail of water. Jack fell down!’
Your password based on this one might be: j&jwuth2f@pow.jfd!
Make your password monogamous
A password should and must be purpose-specific, just like a physical key. We don’t keep one key that opens all the locks in our life – or else we’d be in a much worse fix if ever we lost that key. So it’s vital to secure every account and device with its own unique password. If you reuse a password and it somehow gets stolen, the thief can raid all the accounts that share that it – before you have time to change it across the board. Lists of cracked passwords are for sale on the dark web, and crooks test all these passwords on loads of sites to see if they will unlock another account of yours.
Speak to the password manager
Tired of dreaming up bulletproof new passwords all the time? Then use a password manager: an app that will dream them up for you, and then store them for you. Every time you fill out a particular login, the app will pop up with the right password. Simple! But be sure to use only it-approved password managers for any work-related systems or apps. Ask the it or security team which ones to use: we will be happy to assist! Password managers do make some people nervous – they want to control every password themselves. While approved password apps are totally safe, it’s ok if you prefer to fly solo.
Add a shield to your sword …
If a password is a superhero, then multi-factor authentication (mfa) is that superhero’s trusty sidekick. It provides an extra barrier by requiring a secondary code, or one-time password (otp) – often sent to you via sms or email – that you enter in addition to your password. If your password gets ever leaked or stolen, then mfa will come to the rescue, by bouncing an intruder who doesn’t have access to your email inbox or your phone.
… but don’t bite the phish!
Mfa is a brilliant backup. But there is a catch to be aware of: cybercriminals can still use phishing tricks to fool you into giving them an otp you have just received after they logged in with your password only. They send an email or text message that coaxes you into clicking on a link to a site that looks exactly like your internet banking login page, for example – but is actually a fake replica of that page. You then happily log in – and the crooks record your keystrokes, so they then have both your password and otp. They then quickly login to the real site, and spend your money until you realise what’s happening.
Often the phishing email or sms that deceives you will ask you to update your banking details for a subscription because a card has expired, or ask you to claim a loyalty reward. If you’re tired or stressed or in a rush, you can easily fall for it.
And if ever you receive an email asking you to enter an otp – ask yourself, did i just request this otp myself? If not, someone is trying to hack you.
Keep it real – with a real url
An important way to dodge phishing attacks is by never entering login details via a link that you haven’t checked is real. And no bank will ever send you a link to a login page. So always type in the url instead, or use the banking app if you’ve installed one.
If you’re ever tempted to click on a link to an account login or credit card form, you should:
- Check for a padlock icon in the browser address bar, and ….
- Ensure the site url starts with https://:
(the “s” stands for secure, meaning the data you type in is encrypted.)
Some other telltale signs of phishing:
- Misspelt urls – think http://sapqi.com, or http://gooogle.com
- The link sender’s email address might be a dodgy variation of the company name, or even a random private address
And stay away from:
- Unsolicited download or verification prompts – did you ask for this mail? If not, think thrice.
- Ads that look like warnings: the urgency is meant to intimidate you into acting hastily
- Automatic redirections to unknown pages or popups.
Taken aback? Report a hack!
If you think anything a bit ‘off’ has happened on a sappi work platform, do the following:
- Deny any suspicious requests immediately
- Report the incident to our phishing team: phishingreport@sappi.com
… or by logging an incident with your local it support team - Change your password as a precaution
By acting fast, you help to keep us all safe.
Swot the Sappi rules
To keep you and our systems safe, it’s vital to know and follow sappi’s group policies on user access and access management. These cover a range of it issues, but they do include policies on passwords: notably that personal account passwords should not be shared with colleagues, and that temporary passwords issued by it staff should be unique to that user and then be immediately changed to a complex new password.
To read all these policies, click on these sharenet links:
1. Policies and procedures – Group IT acceptable use policy PDF – Policies by department
2. Policies and procedures – Group IT user access management policy PDF – Policies by department
