The importance of password security for businesses

June 10, 2019

How many websites do your team members log into on a daily basis both at home and work?

What would happen if their login to just one of those websites was hacked? Could you be certain that those login details couldn’t be used to break into vital company information – your CRM system, your payroll, your website, your company benefits system… the list goes on.

Password breaches are common

Sadly, password breaches happen all too often – even to large companies. The following companies have been hacked in the last year alone:

  • British Airways
  • Marriot International
  • Reddit
  • Under Armour (including Fitbit)

In addition, poor security at Facebook meant almost 50 million users were left exposed by a security flaw last September.  It allowed attackers to gain control of people’s accounts and logins to other accounts that use Facebook’s system, of which there are many.

In fact, we believe that almost everyone will have had their data breached at some point in time – and if you’d like to see if you’re one of them, try putting your email address into https://haveibeenpwned.com/ (pronounced ‘poned’) and see what comes up. If your data hasn’t been hacked, then count yourself lucky but sadly you are one of the few.

The importance of unique passwords

If you have unique passwords and logins for each website and system you access, then you are less vulnerable to attackers accessing other sites you use, therefore protecting your data.  If your user details and password from one site are hacked, then your issues are confined to that site.  Under GDPR which was introduced in May 2018 companies should now be informing you of any breach as quickly as possible – and providing you change your password immediately, in most cases you will have nullified the problem.

However, if you use the same password across a number of sites, it’s a bigger problem as you will need to change passwords for all those sites.

Hackers now use very sophisticated software so if you use the same password for multiple sites, there is a good chance they will find it and use it for their own gain; whether stealing personal data, gaining access to credit card details, financial information etc.

Most information that has been hacked will be sold on rather than used immediately – making it less likely (although still possible) that someone will have scammed you in the meantime.

Business/personal data cross over

Some businesses are naïve in thinking work email addresses are less likely to be hacked and if they are hacked, then the business would know their systems had been compromised.

However, it’s likely that your team are frequently using their work email to access data from the internet albeit work related (e.g. trade magazine sites requiring a login or social media sites such as LinkedIn or Twitter).

Did you know for instance that in May 2016, LinkedIn had 164 million email addresses and passwords that were exposed? Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. We’ve had first-hand experience of this with some of our clients forgetting they had even registered for LinkedIn by 2016 – and had gone on to use the same email and password combinations for other sites, including internal company logins.

The importance of a proper security policy for business passwords

With 95% of cybersecurity breaches being put down to human fallibility, it is vital that every company has a secure password policy to manage logins and passwords.

So many breaches are caused by poor password management – with the worst examples being the use of companyname1 or password1 as passwords. We even know of companies where this has been encouraged to aid handover when individuals are leaving a company.

How can we help?

We can help you keep your passwords secure in the following ways:

·       By developing your security policy and ensuring it is enforced

·       Working with you to raise awareness of cyber security issues and training staff about the importance of setting unique passwords

·       Advising you on appropriate password managers and enabling access for key staff

What do password managers do?

Good password managers will not only help you keep passwords secure but will also help you generate strong unique passwords for each site.  In most cases they will automatically insert your username and password when you log into different sites and keep all your passwords under one encrypted (and password protected) roof.

Depending on the password manager they may be held in the cloud or locally on servers and we can help advise on the best options for your particular business.

What about browser password management?

If you are logging into a new site on Google Chrome or on your iPhone, the chances are that your browser will offer you a unique password and store it for you. There are problems with this though.  While the passwords themselves are strong and unique, if you happen to leave your computer or phone browser open when you walk away from your computer, then it can be fairly simple for people to access them depending on your settings.

Also, if someone learns or guesses your Google or Apple ID account password, you are completely compromised. They will more than likely have access to your email, the individual websites you’ve accessed, where in the world you’ve visited (via google maps) and potentially your photos via google photos, and more.

So, in summary, whilst Google’s password management for example is much better than using the same easily hackable password for all sites, we firmly believe that the use of the right password manager by your team will keep your company details safer.

If you would like to understand more about how we help businesses keep their systems safe and secure, please call us on 01275 400 300 or drop us a contact form here.