Press "Enter" to skip to content

5 Password Tips for SMEs

Matt Quinn 0
In our blog about the National Cyber Security Centre (NCSC) we mentioned the wealth of resources they have to help SMEs improve their security – quickly, easily and at low cost.

One area where a lot of organisations fall short is password security. This represents a major risk. Individuals frequently choose weak passwords and reuse the same password(s) multiple times. For example, research by the NCSC and security researcher Troy Hunt found that the password “123456” had been used 23 million times in breaches that Troy analysed.

Attackers commonly utilize lists of the most frequently used passwords when attempting to gain access to either your device or accounts.

However, there is no need to panic. According to the NCSC, “(p)asswords – when implemented correctly – are a free, easy and effective way to prevent unauthorised users accessing your devices or accounts.”

When using passwords, the NCSC suggests 5 things for SMEs to keep in mind

Tip 1: Make sure you switch on password protection

This may seem obvious, but many people forget to do this, particularly on devices like smart phones or tablets. To ensure protection, you should set a screenlock password, PIN, or other authentication method (such as fingerprint or face unlock).

You should also ensure that your office equipment (i.e. laptops and PCs) all use an encryption product (such as BitLocker for Windows) using a Trusted Platform Module (TPM) with a PIN, or FileVault (on macOS) in order to start up. Most modern devices have encryption built in, but you may still need to configure and enable it.

Tips 2: Use two-factor authentication (2FA) for ‘important’ accounts

Wherever possible, you should enable 2FA for any of your accounts. It adds a large amount of additional security for not much extra effort. 2FA requires two different methods to prove your identify before you can use a service or access an account, usually a password and one other method (e.g. PIN, a code sent to your phone, fingerprint scan, etc.).

Tip 3: Avoid using predictable passwords

As mentioned above, predictable passwords are used with alarming frequency. To help avoid this, the person in charge of IT within your organisation should give staff actionable information on setting passwords.

As a general rule the NCSC suggests you think of passwords that are easy to remember, but hard for someone else to guess. Staff should also avoid using the most common passwords, which criminals can easily guess. The NCSC has some useful advice on how to choose a non-predictable password.

Tip 4: Help your staff cope with ‘password overload’

There are several things you can do to improve your security. Your staff have numerous non-work related passwords to remember, so enforce password access to a service only only if you need to. Wherever you use passwords to access a service, you should only enforce password changes when you suspect a compromise of the login credentials.

As staff tends to forget passwords, you should make it easy to them to store and reset their passwords.  A way to store passwords but also to create is using tools like password managers. In that way you can store all your passwords under a ‘master password’, which will have to be a strong one. A good example of creating a strong password is using 3 random words.

Tip 5: Change all default passwords

A common mistake is not changing the default password that the manufacturer is issuing with; smartphones, computers and other types of equipment. NCSC recommends the change of all default passwords before the distribution of the devices to staff and checking these devices regularly, as well as their software, to detect possibly unchanged default passwords.
Find your Cyber Security & Compliance manager for SMEs here!

If you would like to assess your company’s GDPR risk in a matter of minutes, please click here to start a trial.

Get started

    Leave a Reply

    Your email address will not be published. Required fields are marked *