Is your password policy working? Key cybersecurity KPIs to measure

Organizations invest time and money into staying safe from cyber threats, so it's critical they can measure how well their cybersecurity investments are paying off.

Take password policies. Every organization has one (even if it's the standard settings in Active Directory) and they may have additional password management software on top.

But if you're not measuring tangible metrics around password security, then how do you know if your strategy is having any positive impact?

One way to do this is by aligning password policies with wider cybersecurity KPIs.

This post covers four areas where you can track tangible metrics to see whether your password policies are having a real and positive impact on your overall cybersecurity goals.

We'll also share a free tool to help uncover any lurking vulnerabilities in your Active Directory.

Why assess your password policies with KPIs?

Aligning your password policies with wider cybersecurity KPIs lets you prove the value of your investments. This data can give IT teams a better understanding of the success or failure of their password security policies and help them identify areas that need improvement.

After all, the whole point of a strong password policy is to boost access security and reduce potential data breaches.

By monitoring the effectiveness of your security policies, you can demonstrate the success of your efforts to stakeholders and executives. You'll gain a much better understanding of your Active Directory's security posture, and if any areas are found to be lacking, you can make the changes necessary to protect the safety of your network.

Tracking Password KPIs

Having a strong password policy is key to protecting your network. By measuring the effectiveness of your policies against the following KPIs, you can identify and remediate potential issues before any damage is done.

Regulatory compliance

Frameworks such as the National Institute of Standards and Technology (NIST) password standards define requirements for creating secure passwords and setting minimum complexity requirements.

To measure success in this area, IT teams should regularly check for compliance with commons standards to make sure they’re keeping up with recommended authentication protocols.

Checking for weak passwords

Preventing users from creating weak passwords is the main purpose of a password policy.

Regular scans of your Active Directory with an auditing tool should show a reduction or complete elimination of end user accounts with no password, expired passwords, or identical password to other users.

The best password policies should also be blocking commonly used base terms, keyboard walks, and custom base terms related to your specific business and industry.

Scan for compromised passwords

It’s important to remember that even strong passwords can become compromised if end users have reused them on personal devices or websites with weak security.

Regular scanning for breached and compromised passwords within your Active Directory can block off potential attack routes.

User-driven password reset requests

Tracking how often users are resetting their passwords can help identify weak spots in your security system or faulty authentication protocols.

A high number of requests can indicate users forgetting their passwords frequently or potential malicious attempts to reset passwords. A sudden spike in failed logins or reset attempts can signal a cyber-attack. 

Monitoring privileged accounts

The security of privileged accounts is essential to any organization's security posture. It's vital that IT teams can measure the strength of their password policies with respect to these accounts.

To do this, they can track three key performance indicators (KPIs): privilege escalation incidents, privilege review cycle time — and privilege revocation time.

Interested to know how your organization is doing in relation to the above? Check for all of this and more with Specops Password Auditor – a free read-only Active Directory auditing tool.

Is your multi-factor authentication (MFA) effective?

MFA is an essential component of any secure password policy, providing an additional layer of security by requiring users to provide two or more pieces of evidence when logging into a system. Simply setting it up isn’t enough though – IT teams need to measure the effectiveness of their MFA policies. Here are three suggested KPIs for IT teams to follow:

Adoption rate: This metric tracks how many users are using MFA when logging into systems. It's important that all users are using MFA for it to be effective in protecting against unauthorized access attempts. A low adoption rate suggests that users may not be aware of the importance of protecting their accounts with extra security measures such as MFA.

Authentication success/failure rate: Tracks how often users successfully authenticate with MFA versus how often they fail authentication attempts due to incorrect codes or forgotten credentials. A high failure rate could indicate a lack of user awareness about the importance of using MFA or difficulty in remembering multiple sets of credentials — this could lead to compromised accounts if left unchecked.

Bypass rate: How often attackers can bypass MFA by either guessing passwords or exploiting vulnerabilities. A high bypass rate means that attackers have found a way around your security measures — this should be addressed immediately.

Get a snapshot of your password vulnerabilities today

Specops Password Auditor is a free read-only auditing tool that helps IT teams proactively identify password vulnerabilities in their organization’s Active Directory.

The dynamic report offers valuable insights into KPIs such as regulatory compliance, weak/breached passwords, and privileged account activity that can guide improving existing protocols.

Need to enhance your Active Directory password policy? See how you can do that free for 30 days with Specops Password Policy.

Sponsored and written by Specops Software.