Passwords—they’re still the first line of defense for protecting your most valuable small business assets. From financial data to health records, strong password practices keep information safe from unauthorized eyes. Does your small business even have a password policy? If not, why not? If so, is your password policy up to date, and do your employees know how to prevent a security breach?
We help you understand why strong passwords and a company password policy matter, and how you can beef up your passwords to help minimize your risk.
Weak Passwords Create Big Security Risks
The dangers caused by vulnerable passwords are very real for small businesses. “Hackers can and will find ways to install malware and steal financial data,” warns Kevin Dohrmann, CTO and co-founder of IT solutions provider Cosentry. “The easier it is for them to get in, the more likely the exploit.” Cyber thieves may look to turn a buck by stealing financial data or by holding your company hostage through ransomware. Competitors might be interested in harvesting information from your firm in an attempt to gain an advantage in the marketplace.
Julia Breaux, IT compliance manager at cloud and data solutions firm Venyu, likens passwords to car keys. “If you have a weak policy for controlling your car keys, you might give your keys away or be tricked into giving your keys to a stranger,” she explains. “In that case, you can say good bye car.” Most people wouldn’t want to lose a big asset like their vehicle, and your business data is even more valuable.
A weak password¬¬ easily guessed or written down where others can find it, can also provide unauthorized access to people within the company. This might lead to data being altered or deleted—either intentionally or accidentally—and trigger an expensive data breach scenario.
Small businesses, with their less cumbersome networks and more consolidated user bases, are especially vulnerable to inadequate password security. Just one exposed administrative password could be devastating.
“Admin accounts often have broad privileges,” explains Patrick Hubbard, IT management and technical product marketing director at software provider SolarWinds. “For example, default Microsoft Active Directory Administrators may have firewall root permissions. If hackers compromise a single system inside the firewall, they can own an entire infrastructure and cover their tracks.” To avoid these risks, business owners should create structured password polices so that passwords continue to provide the necessary security.
Avoid Common Password Mistakes
“Many small businesses struggle to develop a password policy,” Breaux says. “If an organization actually has a password policy, it’s typically lax and influenced more by standards of convenience rather than best practice guidelines,” Breaux says. She adds that poor or incomplete implementation may also cause an otherwise good policy to fall short, such as when the business rolls out best practices only around the highest-risk systems. That could leave other network points without adequate protection.
Employees may also introduce their own password risks. Dohrmann highlights a major vulnerability: weak passwords that contain words or phrases. “These are very easy to break with dictionary or brute force attacks,” he says. In addition, he cautions employees against “using the same passwords for multiple sites and over long periods of time.” Both practices compromise the security of either the site or system the password’s meant to protect, potentially giving hackers easy access to valuable data.
Not surprisingly, resource availability often puts small businesses in a more difficult position when it comes to creating and following good password practices. Costs frequently drive smaller organizations to use shared application accounts, with multiple employees using the same login credentials. It may be cost effective, but Hubbard says it introduces serious concerns around password security. “When people share accounts, they tend to make the passwords easier to remember or, worse, they write them down and pass them freely among employees,” he explains.
How to Build Strong Passwords
Dohrmann recommends long passwords, and suggests that small businesses aim for passwords that are at least 10 digits long. He adds, “Use combinations of special characters, numbers, and letters.” If employees have trouble remembering these more complex passwords, you can use any number of credential management applications—such as LastPass, RoboForm, or LogMeOnce, to name but a few—to securely store and easily retrieve password information.
You can access many of these applications from mobile devices, too, in case you or your employees travel and need to log in remotely. You may also want to consider additional layers of security, including multi-factor authentication.
Venyu’s Julia Breaux urges small business owners to use password protection on all of their technology systems. She also recommends changing passwords on a regular schedule—at least every 90 days. And make sure that employees get locked out of the system after a set number of invalid login attempts. “Fewer login attempt numbers are better,” she says. This approach reduces the risk of a hacker (or a determined employee) guessing possible password combinations until they hit on the right one.
Employees are a first line of defense in any security program, and as such, Hubbard says that small business owners should educate workers about the risks of a breach and the role that employees can play in preventing intrusions. “Teach them to always log out when they use a public computer or terminal,” he says as an example.
Employees also may not understand how dangerous it can be to share passwords or to leave them where they’re easily accessible. Take the time to discuss where security gaps appear—such as when an employee leaves the firm (taking that password with them) or when someone uses the same password to access another system.
Julie Knudson is a freelance writer whose articles have appeared in technology magazines including BizTech, Processor, and For The Record. She has covered technology issues for publications in other industries, from food service to insurance, and she also writes a recurring column in Integrated Systems Contractor magazine.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|