Do I need a company password policy?

Cybercrime is now considered to be one of the single greatest threats to businesses today. New technology has in turn created new opportunities for criminals and an increasing number of risks for organisations of all sizes.

At the click of a button – and from anywhere in the world – a bank account can be wiped clean, company data can be stolen or destroyed, and assets can be held to ransom. And with any employee with an email account, or other company logins, being a potential target, it pays to stay on top of your IT security.

And according to data released by Hiscox, there has already been a “sharp increase” in the number of cyber-attacks this year, with more than 60% of firms having reported one or more attacks. Yet, despite being faced with daily headlines about data breaches and phishing attacks, many businesses and their employees remain unprepared for dealing with issues of cyber security.

A new survey by The National Cyber Security Centre (NCSC) has revealed that while most people know this type of crime exists – indeed 42% of Brits say they expect to lose money to online fraud – only 15% say they know a great deal about how to protect themselves against such activity.

Passwords – the first line in cyber defence

One area we continue to struggle with is our choice and use of passwords. The result being that we’re giving criminals an easy ride.

The NCSC survey reveals that 23.2 million victims of cybercrime worldwide were using the password ‘12345’, with another 7.7 million opting for ‘123456789’ and a further 3.6million simply using ‘password’.

Influences from the world of football, music and fiction also feature heavily, with ‘liverpool’, ‘chelsea’, ‘superman’ and ‘50cent’ all amongst the most regularly used passwords to suffer a breach.

This issue of opting for weak, common and very guessable passwords has been further exacerbated by the fact that despite knowing it’s not good to do so, 61% of people admit using the same (or similar) passwords everywhere.

What can businesses do to enhance password security?

One of the big problems with passwords is that our daily lives have gone digital and different tools and websites, mean more and more passwords to remember. It’s estimated that the average business employee must keep track of 191 passwords, so it’s perhaps unsurprising that simple, memorable passwords are being used across multiple sites – and in so doing, the security risk to businesses is being greatly increased.

As well as the potential cost and damage a cyberattack may cause, another huge reason why passwords and IT security needs to be on the commercial agenda is GDPR. Privacy by design is the essence of the General Data Protection Regulation (GDPR) rules, which came into force in May 2018 and are applicable to all companies operating in the EU.

Taking all steps necessary to protect data and minimise the risk of a data breach is a key part of compliance, so having effective cyber security plans and policies in place is crucial – no matter what the size or type of business.

(For more ideas on this, see: GDPR for small businesses – simple steps you can take to protect personal data)


A guide to password best practice

Supporting employees to gain a greater understanding for these types of crimes is a vital piece in the puzzle. Just like you might encourage an awareness for physical security risks (such as intruders coming on site or suspicious behaviour), you need to help employees grasp what a cyberattack may look like and what to do if they come across one. Advising them on best practice when it comes to their choice and use of passwords is a great first step.

So, how can you bolster your business’ use of passwords?

Create a company password policy

Think about and document how your business is to use passwords. This policy should be shared with employees and reviewed regularly. It should cover issues such as:

    • Only using a password once
    • Not basing passwords on personal info, such as a pet’s name
    • Keeping passwords long and strong
    • Not sharing passwords with other people

Schedule team training

Research points to the fact that relying on employees’ own intuition and understanding of cyber security is not enough. You need to be proactive and to support them, as the consequences of a cyberattack could be extremely costly. Hold regular training sessions with employees and share news about the latest scams and what action is to be taking, should someone come across one.

Don’t change passwords too often

A strong password should only need to be changed around once a year. Certain software can now automatically issue a prompt for a password to be reset at a required interval. The password should be entirely changed, to avoid patterns like this happening, which are looked for by hackers…password1, password2, password3

Use random passwords

Generate and use random passwords using a website such as Avast. Make it compulsory for these types of passwords to be used. Again, some software will let you prevent people from setting passwords that are too easy, so they would be stopped even if they try too.

Set up password blacklists

By this we mean make sure your users can’t choose any passwords commonly found within data breaches, like 12345 mentioned earlier. A helpful site for this is Have I Been Pawned? which can also be useful for checking to see if an email address has ever featured in any website data breaches and when.

Use a password manager

The more passwords there are to remember the more difficult it can be for an employee (and the more tempting for them to replicate or choose easy ones). One solution here is to use a password manager. This type of tool remembers passwords for numerous sites, so all an employee needs to do is to remember the main login for the password manager software. Here’s a review of some of the best ones available by TechRadar.

Enhance security for sensitive data

Finally, for any super sensitive data consider what other security steps you might implement, such as using two-factor authentication. This is where a one-time passcode may be sent to a phone linked to the particular account. This code must be entered before access is granted, acting as further verification.


Concerned about IT security or cyberattacks?

Dragon IS is an IT support company based in Milton Keynes. We work with small and medium sized businesses, helping them with a broad range of issues relating to their IT systems, processes and procedures.  From expert advice and guidance, to introducing systems that can effectively scaleup with a growing business, call us for an informal chat on 01908 613 080 or email


You may also be interested in: