Ask a Security Expert: How Can We Get Employees to Stop Writing Passwords on Sticky Notes?

By Gary Hayslip

The question for this edition of Ask a Security Expert hails to us from Matt Kateley, technical account manager at Business Computer Solutions, who asks, “In today’s password-intensive world, we all know users whose idea of cybersecurity is writing down their passwords on a sticky note attached to their screen. What can MSPs do to discourage this kind of behavior among their clients?”

The Situation

This is a relevant question that tends to plague every office at one point or another. The modern world demands that we use passwords for security purposes — whether it’s for private, personal information such as bank accounts or frequent flyer programs, or a more heavily guarded company portal or system backend. As a result, people are tasked with remembering a variety of passwords for both their private and professional lives, many of which hold access to critical information.

So why do employees write their passwords down on sticky notes? This is a no-brainer – it’s convenient! Employees turn to sticky notes because they’re easy to use, readily available in an office setting and literally “stickable” to their screen for quick reference throughout the workday. The typical employee has enough going on that memorizing another (hopefully) complex code filled with random symbols, numbers and letters seems like an unmanageable task that can more easily be delegated to a 3×3 piece of adhesive paper.

Regardless of whether employees have their own private office or they work within an open-concept environment, they’re not immune to risk. Each user’s password credentials hold some level of access to sensitive information, which if leaked or stolen can cause significant damages.

Educating Employees

As the old saying goes, “Once you know better, do better.” Employees often strive to maximize their work, either financially via career growth or by practicing positive work-life balance, and this mindset should also extend to security. Doing your part to reduce business risk starts with a commitment to basic security hygiene and is strengthened and maintained by participating in ongoing security awareness training.

Security awareness training involves educating and training employees on best practices and common threat techniques to prevent and protect against malicious actors. Using real-world examples to help employees understand the risk they could expose their company to by not following best practices, including keeping passwords on sticky notes, helps to illuminate the consequences of these seemingly harmless choices. Outside of ongoing education and training, employees should also understand the reason behind the training, and contribute to creating a business culture that prioritizes security.

Tools for the Trade

One great way to encourage employees to kick the habit of keeping passwords on sticky notes is to provide a secure, alternative solution. In this regard, employers can look to tools such as password managers, which not only securely store users’ passwords but can also help users generate better passwords moving forward. Another common feature of password managers is the ability to sync users’ encrypted passwords to their preferred devices. This is comparable to the user physically bringing the prized password sticky note around with them, without the added risk. As technology continues to advance, there will be more options for password management, including the potential for biometric authentication that doesn’t require traditional passwords at all, instead relying on users’ fingerprints or eye retinas to login.

When All Else Fails, Look to Incentives

Generally speaking, most individuals are incentive-based, and more willing to work toward a goal in exchange for a reward. Therefore, to cut down on the sticky-note practice, employers can set up a system that rewards employees for more securely managing their passwords. Incentives, which could be monetary or recognition-based, are effective at motivating employees to let go of their bad habits that pose a security risk. Ultimately, employee education and the desire among employees to want the best for their company will continue to be the strongest influences toward helping employees kick their bad habits and follow security best practices.

Gary Hayslip is responsible for the development and implementation of all information security strategies, including Webroot’s security standards, procedures and internal controls. As VP and director of cybersecurity strategy, he also contributes to product strategy to guide the efficacy of the Webroot security portfolio. He previously was CISO of the city of San Diego and held infosec roles with the U.S. Navy and the federal government. Follow Hayslip on Twitter @ghayslip or on LinkedIn.