The Password Mistakes Every Business Makes and How To Fix Them

In today’s digital landscape, passwords serve as the first line of defense for businesses against cyber threats. Following news that common and easily guessed are being banned in the UK as part of world-first laws, and to mark World Password Day on 2 May, Rachel Rowlandson, Service Director at Evolve, reveals the true cost of a weak password and shares best practices to protect businesses.

New laws that came into force on 29 April – part of the Product Security and Telecommunications Infrastructure (PSTI) regime – are a welcome move that should significantly improve the UK’s resilience from cyber-attacks. In the future, manufacturers of all internet-connected devices, including mobile phones, smart doorbells, and even high-tech fridges, must implement minimum security standards. This will mean a clampdown on some bad digital habits most of us have been guilty of.

With new security technologies such as passkeys being invented, which create unique identifiers connected to specific devices rather than dependent upon passwords, it’s clear that many experts believe a new approach to security is needed. But, until these technologies become commonplace, it is critical for businesses to fully understand the role that passwords play in their security measures.

Passwords play a crucial role in maintaining the integrity of corporate assets. Yet, in 2022, more than 24 billion passwords were exposed by hackers, and around 80% of confirmed breaches are related to stolen, weak, or reused passwords.

Robust password policies are critical for ensuring the security of digital assets and accounts. Not only do they make it more difficult for hackers to access accounts, systems, and sensitive information, but as cyber threats evolve, they allow organizations to adapt and respond to new challenges effectively. To fully understand the benefits of such policies, it’s helpful to look at the consequences of using weak passwords.

The risks of weak passwords

Studies found the most used passwords in the UK last year were ‘123456’ and ‘password,’ which will now be disallowed thanks to the new legislation. But what’s so bad about them?

The latest UK government survey shows that a third of businesses (32%) and a quarter of charities (24%) reported having experienced some cyber security breach or attack in the last 12 months. Although medium and large organizations seem to be at greater risk, no business is immune – the average data breach cost was $4.45 million in 2023, the highest average on record, while the number of ransomware victims in March 2023 has nearly doubled from the previous year.

While more advanced security measures such as using secure authentication, maintaining regular software updates, and always using a Virtual Private Network (VPN) that creates a secure and encrypted connection over the internet from your device to the VPN provider are recommended, the impacts for businesses that do not introduce a robust password policy should not be overlooked.

Weak passwords represent a significant security risk, exposing individuals and organizations to various threats, including unauthorized access, data breaches, identity theft, and loss of trust and reputation.

Aside from the obvious issue that weak passwords can be easily guessed or cracked by automated tools, they make it easier for attackers to perform account takeover attacks, where they gain access to a user’s account and misuse it for malicious purposes, such as stealing sensitive information or spreading malware.

Additionally, weak passwords increase the risk of identity theft, where attackers impersonate individuals to access their financial accounts, make transactions, or fraudulently apply for loans or credit cards.

Lesser-known risks include:

• The erosion of trust.
• The reputation of individuals and organizations.
• Non-compliance with existing regulations.

Many industries have long-standing regulations and standards requiring strong password policies to protect sensitive information and maintain data security. Failure to comply with these regulations can result in legal and financial penalties.

Compromised accounts resulting from weak passwords can lead to data breaches, exposing sensitive information such as personal data, financial records, or intellectual property, so it’s imperative to implement password policies to protect businesses.

Also read: High-Risk Password Attacks and Strategies to Prevent

Best password practices to fortify defenses

Under the new UK law, if a user suggests a common password, they will be prompted to change it when creating a new account. But there are other proactive steps businesses can take:

• Create strong and unique passwords using three random words. The best way to make a password difficult to hack is by using a sequence of three random wordsthat are easy to remember. You can make it even stronger by including special characters and numbers but

don’t fall into the trap of thinking that using symbols on short common words, e.g., “P@$$W0rd1,” will make it harder to guess. Alternatively, consider using passphrases, which are longer and easier to remember than traditional passwords.

• Enable Multi-Factor Authentication (MFA): Whenever possible, enable multi-factor authentication (MFA) for your accounts to add an extra layer of security by requiring additional verification beyond just a password, such as a code sent to your phone or generated by an authenticator app.
• Avoid Password Reuse: Use different unique passwords for every email, social media, and banking account. Store passwords in your browser when prompted, or use a password manager; both options are easier than remembering multiple passwords and safer than reusing passwords.
• Regularly Update Passwords: This is especially important for accounts that contain sensitive information or are critical to business operations.
• Monitor Account Activity: Regularly monitor accounts for suspicious activity or unauthorized access. Enable notifications for login attempts, password changes, and other account-related activities to alert you to potential security incidents.

By following password best practices, businesses can significantly improve their security posture and reduce the risk of data breaches and other cybersecurity threats. Moreover, implementing robust password policies demonstrates a commitment to security, which can enhance trust among customers, clients, and stakeholders.