What is a password pepper?

The password pepper or peppering—as it’s also called—is strictly connected to the password hashing process. Websites don’t store users’ passwords in plain text because it would allow anyone with access to see them. In most cases, users’ passwords are hashed: Encryption algorithms convert them into complicated strings of characters. This way, even if a site’s database gets breached, hackers must decrypt hashes to get hold of users’ credentials.

A pepper is a secret value—a random string of characters—added to a password before hashing. Unlike salt, another cryptographic way of adding an extra layer of security to your password, pepper doesn’t change. Like a chef’s secret ingredient, it stays the same across all dishes: user’s online accounts or — if part of the source code— across users’ databases.

How does password peppering work?

The password pepper changes the value that’s being hashed, resulting in a modified and more secure password hash. The pepper can be hard-coded into the website’s source code or added manually by the private or business user.

In the first scenario, the online platform’s owner chooses the pepper, taking responsibility for the code’s strength and security. The same pepper is used throughout the site’s database: There are no individual password peppers for users. Following a data breach, hard-coded pepper might be more trouble than it’s worth. If cybercriminals gain access to the source code, they could quickly discover the pepper, and it could compromise the hashed passwords. Also, in this setup, changing the breached pepper requires modifying the source code and redeploying the application, which is rather cumbersome.

For the above reasons, we’ll focus on the second scenario: Peppering passwords by hand. It requires setting up a strong, random code — you can use our password generator for it — and keeping it safe, separately from your login credentials. Adding a pepper to your login credentials means that even if you use a robust password manager like NordPass, you’ll still have to memorize your secret code or keep it in another safe place.

Using password peppering to improve your online security

Password peppering can protect your accounts in case your passwords get compromised. The rising numbers of cybercrime—the most lucrative criminal activity nowadays—show that you can never be too careful or introduce too many layers of protection. No online service provider may be completely bullet-proof breach-wise, which is what LastPass learned the hard way at the end of 2022.

Adding a pepper to your passwords has to be done manually, which extends the time needed to access your accounts. It can be annoying, especially if you are used to the seamless login experience, but it will definitely improve your online security.

People are creatures of habit and convenience and tend to ditch the security practices that are too demanding. Hence, we do not recommend peppering all your passwords — pepper the most important ones. Here’s how to do it:

1. Create a strong and complex pepper you’ll be able to remember.

   You can think of a pepper as a password: the longer and more complex it is, the better. Make it random and use different kinds of symbols. However, don’t go overboard; the best way to keep your pepper safe is to memorize it!

2. Create your “base password” and store it in your password manager.

   Use a password generator to create a complex string of characters: Let’s call it “your base password.” Now, save it in your password manager’s encrypted vault.

3. Add password pepper and update passwords to your most important accounts.

   Once you’ve created your base password, add the pepper and that will be your actual new password. Update your most important accounts using it. Now, when logging in, you’ll have to add the pepper every time to access the account.

   Note: You can include the pepper anywhere in the string of characters constituting your base password. However, to avoid overcomplicating it, add it at the beginning or end of your base password.

4. Don’t store your pepper in the password manager vault.

   The idea behind peppering your passwords is not to keep all your eggs in one basket. Hence, keeping your secret code in your password manager vault doesn’t make sense. If your passwords leak, the pepper leaks as well. To make password peppering work, keep your pepper safe somewhere else, preferably your head.

Password peppering from a business perspective

From a business perspective, password peppering can cause more trouble than it’s worth. It may interrupt the teams’ cooperation and information sharing, extend the time spent on tasks that could easily be automated, and mess up the results of compliance and password security audits.

Let’s look at other security measures more suited to the business environment. Unlike password peppering, they promote transparency and allow immediate response to cyber threats.

• Password policy

The password policy is a set of rules and guidelines for creating and managing passwords in the organization. It informs employees how long their passwords should be, what kinds of characters they need to include, and how often they should change them. When enforced automatically by the company’s password manager, password policies give business network administrators control over every password used in their company.

• Password health

Password health metrics track your company’s vulnerable passwords. The NordPass Password Health feature provides insight into the weak, older than 90 days, and reused passwords employees rely on. It allows omitting the risk of data breaches connected with weak passwords instead of mitigating the results of hacker attacks.

• Data Breach Scanner

Data Breach Scanner notifies you in real time about all data leaks related to your company emails and domains. It can be a real game-changer since, according to IBM’s 2023 data security report, companies take 277 days on average to identify and contain a breach. If you respond to the security incident at once, chances are cybercriminals won’t have enough time to use the information against your company.

Trends in password security

These are pivotal years for password security. We’re witnessing a shift towards a more user-friendly and secure authentication method: passkeys. Passkeys allow access to your online accounts the same way you unlock your smartphone—via fingerprint or face ID. This new technology combines biometric verification with cryptographic keys, reducing the risks of phishing, brute-force attacks, and other cyber threats.

Some of the largest tech giants—including Amazon, Apple, Google, and Meta—have already joined the FIDO Alliance, an industry association created to “solve the world’s password problem.” NordPass is also a part of FIDO and, along with other members, actively promotes passkeys and makes them accessible to users. That’s why our password manager provides you a way to securely store, access, and share passkeys.

What is a business continuity plan?

A business continuity plan (BCP) is a document that sets guidelines for how an organization should continue its operations in the event of a disruption, such as fires, floods, other natural disasters, or cybersecurity incidents. A BCP aims to help organizations resume operations without significant downtime.

Despite their utility for business security, BPCs are not as commonplace as expected. According to ZipDo, 43% of businesses across the globe don’t have a business continuity plan in place.

Business continuity vs disaster recovery plan: What’s the difference?

Sometimes, people use the terms disaster recovery plan (DRP) and business continuity plan (BCP) interchangeably. However, these are two separate types of plans. A business continuity plan helps organizations stay prepared to deal with a potential crisis and, hence, usually encompasses a disaster recovery plan. Although the two overlap and are often set into motion to optimize procedures during crisis events, their purposes differ.

The key difference between BCPs and DRPs is their goal. Business continuity plans aim to reduce downtime during the incident to a minimum. Disaster recovery plans focus on reducing any faults or abnormalities in the system caused by the event and returning things back to normal. They also tend to be more extensive, including additional steps like containing, examining, and restoring operations and covering employee safety measures.

In terms of functionality, a disaster recovery plan focuses on operational steps to restore data access to business as usual following an incident. On the other hand, a business recovery plan is set in place while the incident is still ongoing, ensuring that the operations proceed despite the circumstances.

Benefits of business continuity planning

The number of news headlines announcing data breaches has numbed us to the fact that cybercrime is very real and frequent and poses an existential risk to companies of all sizes and industries.

According to the 2023 Data Breach Investigations report, ransomware is present in 24% of all breaches and is among the top four most common types of cyberattacks. In fact, 24% of breaches involved ransomware, with damages costing businesses an average of $4.82 million.

Most cyberattacks are financially motivated, as the global cost of cybercrime exceeded $8 trillion in 2022 and is expected to exceed $13 trillion by 2028. The picture is quite clear — cybercrime is a lucrative venture for bad actors and potentially disastrous for those on the receiving end.

The importance of business continuity plans cannot be understated, as to thrive in these unpredictable times, organizations go beyond conventional security measures. Many companies develop a BCP parallel to secure infrastructure and consider it a critical part of the security ecosystem. The purpose of a business continuity plan is to significantly reduce the downtime in an emergency and, in turn, reduce the potential reputational damage and — of course — revenue losses.

Business continuity plan template

Business Continuity Plan Example

[Company Name]

[Date]

I. Introduction

• Purpose of the Plan

• Scope of the Plan

• Budget

• Timeline

The initial stage of developing a business continuity plan starts with a statement of the plan’s purpose. It explains the main objective of the plan, such as ensuring the organization’s ability to continue its operations during and after a disruptive event.

The Scope of the Plan outlines the areas or functions that the plan will cover, including business processes, personnel, equipment, and technology.

The Budget specifies the estimated financial resources required to implement and maintain the BCP. This includes costs related to technology, personnel, equipment, training, and other necessary expenses.

The Timeline provides a detailed schedule for developing, implementing, testing, and updating the BCP.

II. Risk Assessment

• Identification of Risks

• Prioritization of Risks

• Mitigation Strategies

The Risk Assessment section is an essential part of the business continuity plan that identifies potential risks that can disrupt an organization’s critical functions.

The Identification of Risks involves identifying potential threats to the organization, such as cybersecurity breaches, supply chain disruptions, or power outages. This step is critical to understand the risks and their potential impact on the organization.

Once the risks have been identified, the Prioritization of Risks follows, which helps determine which risks require the most attention and resources.

The final step in the Risk Assessment section is developing Mitigation Strategies to minimize the impact of identified risks. Mitigation strategies may include preventative measures, such as system redundancies, data backups, and cybersecurity measures, as well as response and recovery measures, such as emergency protocols and employee training.

III. Emergency Response

• Emergency Response Team

• Communication Plan

• Emergency Procedures

This section of the plan focuses on immediate actions that should be taken to ensure the safety and well-being of employees and minimize the event’s impact on the organization’s operations.

The Emergency Response Team manages the response to an emergency or disaster situation. This team should be composed of individuals trained in emergency response procedures who can act quickly and decisively during an emergency. The team should also include a designated leader coordinating the emergency response efforts.

The Communication Plan outlines how information will be disseminated during an emergency situation. It includes contact information for employees, stakeholders, and emergency response personnel, as well as protocols for communicating with these individuals.

The Emergency Procedures detail the steps during an emergency or disaster situation. They should be developed based on the potential risks identified in the Risk Assessment section. The procedures should be tested regularly to ensure their effectiveness.

IV. Business Impact Analysis

The Business Impact Analysis (BIA) section of a business continuity plan is a critical step in identifying the potential impact of a disruption to an organization’s critical operations.

The BIA is typically conducted by a team of individuals who understand the organization’s critical functions and can assess the potential impact of a disruption. The team may include representatives from various departments, including finance, operations, IT, and human resources.

V. Recovery and Restoration

• Procedures for Recovery and Restoration of Critical Processes

• Prioritization of Recovery Efforts

• Establishment of Recovery Time Objectives

   

The Recovery and Restoration section of a Business Continuity Plan (BCP) outlines the procedures for recovering and restoring critical processes and functions following a disruption.

The Procedures for Recovery and Restoration of Critical Processes describe the steps required to restore critical processes and functions following a disruption. This may include steps such as relocating to alternate facilities, restoring data and systems, and re-establishing key business relationships.

The Prioritization of Recovery Efforts section identifies the order in which critical processes will be restored based on their importance to the organization’s operations and the overall mission.

Recovery time objectives (RTOs) define the maximum amount of time that critical processes and functions can be unavailable following a disruption. Establishing RTOs ensures that recovery efforts are focused on restoring critical functions within a specific timeframe.

VI. Plan Activation

• Plan Activation Procedures

The Plan Activation section is critical in ensuring that an organization can quickly and effectively activate the plan and respond to a potential emergency.

The Plan Activation Procedures describe the steps required to activate the BCP in response to a disruption. The procedures should be clear and concise, with specific instructions for each step to ensure a prompt and effective response.

VII. Testing and Maintenance

• Testing Procedures

• Maintenance Procedures

• Review and Update Procedures

This section of the plan is critical to ensure that an organization can effectively respond to disruptions and quickly resume its essential functions.

Testing Procedures may include scenarios such as natural disasters, cyber-attacks, and other potential risks. Clear objectives, testing scenarios, roles and responsibilities, and evaluation criteria to assess the plan’s effectiveness are also part of the procedural structure.

The Maintenance Procedures detail the steps necessary to keep the BCP up-to-date and relevant.

The Review and Update Procedures describe how the BCP will be reviewed and updated regularly to ensure its continued effectiveness. This may involve reviewing the plan regularly or after significant changes to the organization’s operations or threats.

What should a business continuity plan checklist include?

Organizations looking to develop a BCP have a lot to consider. Variables such as the organization’s size, its IT infrastructure, personnel, and resources all play a significant role in developing a continuity plan. Remember, each crisis is different, and each organization will have its own view on handling it according to all the variables in play. However, all business continuity plans include a few fundamental elements.

• Clearly defined areas of responsibility

  A BCP should define specific roles and responsibilities for emergencies. You must detail who’s responsible for what tasks and clarify what course of action a person in a specific position should take. Clearly defined roles and responsibilities in an emergency event allow you to act quickly and decisively and minimize potential damage.

• Crisis communication plan

  In an emergency, communication is vital. It is the determining factor in crisis handling. Establishing clear and effective communication pipelines is critical. Alternative communication channels should not be overlooked either. Make sure to outline them in your business continuity plan.

• Recovery teams

  A recovery team is a collective of professionals who ensure that business operations are restored as soon as possible after the organization confronts a crisis.

• Alternative site of operations

  Today, when we think of an incident in a business environment, we usually think of a cybersecurity-related event. However, as discussed earlier, a BCP covers many possible incidents. In a natural disaster, determine potential alternate sites where the company could continue to operate.

• Backup power and data backups

  Whether a cyber event or a real-life physical incident, ensuring that you have access to a power source is crucial to continue operations. A BCP often contains lists of alternative power sources like generators, locations of such tools, and who should oversee them. The same applies to data – regularly scheduled backups can significantly reduce potential losses incurred by a crisis event.

• Recovery guidelines

  If a crisis is significant, a comprehensive business continuity plan usually includes detailed guidelines on how the recovery process will be carried out.

Business continuity planning steps

Here are some general guidelines that an organization looking to develop a BCP should consider:

Analysis

A business continuity plan should include an in-depth analysis of everything that could negatively affect organizational infrastructure and operations. The analysis phase should also include assessing different levels of risk.

Design and development

Once you have a clear overview of potential risks your company could face, start developing a plan. Create a draft and reassess it to see if it accounts for even the smallest of details.

Implementation

It’s critical to get everyone on the same page regarding crisis management. Implement the BCP within the organization by providing training sessions for the staff to familiarize themselves with the plan.

Testing

Make sure to test the plan rigorously. Run through a variety of scenarios in training sessions to assess its overall effectiveness. By doing so, everyone on the team will be closely familiar with the business continuity plan’s guidelines.

Maintenance and updating

The threat landscape constantly changes and evolves, which means you should regularly reassess your BCP and take steps to update it. By tuning your continuity plan to recent developments, you can stay one step ahead of a crisis.

Business continuity planning standards

Business continuity plans don’t just appear out of thin air. They must strictly adhere to industry standards, including ISO and regional standards, to ensure that business is sufficiently prepared for a crisis scenario.

Following a standard is advantageous to businesses as the relevant information and the requirements are continuously being updated. This ensures that the implemented strategies don’t fall behind the security requirements. The ISO 223XX standard series, in particular, aims to provide a clear and internationally recognized framework for continuity planning.

ISO 22301

ISO 22301, or the Security and Resilience Standard, provides organizations with a framework to plan, operate, improve, and otherwise maintain response and recovery strategies. The business continuity plan acts as the documented management system (known as a business continuity management system, or BCMS) that aims to prevent disruptive incidents and, if they occur, ensure a full recovery. It goes hand in hand with ISO 22313.

ISO 22313

This business continuity plan standard provides guidance on implementing the ISO 22301 requirements. It details the precise steps on how the business continuity management system should be implemented in an organization.

ISO 27001

ISO 27001 provides a framework for managing information security. This standard ensures that an organization implements the right risk assessment and controls to upkeep the development, improvement, and protection of information management systems (ISMS). The NordPass ISMS is certified according to ISO 27001.

ISO/IEC 27031

These guidelines cover the principles of how ready an organization’s information and communication technology (ICT) infrastructure should be for business continuity. It covers all potential events and incidents that may impact the infrastructure, leading to the implementation of a BCP.

ISO 31000

ISO 31000, or the Risk Management Standard, exists to help all organizations handle potential risks. Its main purpose is to allow organizations to compare their internal risk management practices to the global standards. However, ISO 31000 can’t be used for certification purposes.

Level up your company’s security with NordPass Business

A comprehensive business continuity plan is vital for the entire organization’s security posture. However, in a perfect world, you wouldn’t have to use it. That’s is where NordPass Business can help.

Weak, reused, or compromised passwords are often cited among the top contributing factors in data breaches – unsurprising, considering that an average user has around 170 passwords. Password fatigue is real and significantly affects how people treat their credentials. NordPass Business counters these issues.

With NordPass Business, your team will have a single secure place to store all work-related passwords, credit cards, and other sensitive information. Accessing all the data stored in NordPass is quick and easy, which allows your employees not to be distracted by the task of finding the correct passwords for the correct account.

NordPass Enterprise helps keep your corporate credentials secure at all times. Everything stored in the NordPass vault is secured with advanced xChaCha20 encryption, which would take hundreds of years to brute force.

If you’are interested in learning more about NordPass Business and how it can help fortify corporate security, do not hesitate to book a demo with our representative.