Passwords were once reserved for secret agents and their criminal counterparts. These days, everybody uses passwords. In fact, most of us have too many to keep up with, which is why we often recycle the same ones for multiple purposes. But, only people in positions of power really need to worry about passwords, right?
You may assume that small businesses wouldn’t be at the top of a cybercriminal’s to-do list, but in fact, the 2019 Data Breach Investigations Report from Verizon found that 43% of security breach victims were small businesses. That same study also found that 80% of hacking-related breaches involved weak and reused passwords. Also, according to the World Economic Forum, passwords were the most vulnerable targets for cybercriminals during the COVID-19 pandemic.
One of the quickest steps you can take to exclude yourself from these statistics is to create strong, sensible passwords. But like many things, that is easier said than done.
When creating a password, people often gravitate toward words and symbols that are easily recalled. Unfortunately, many of those overlap with millions of other people’s passwords. In 2019, UK’s National Cyber Security Centre shared the top 100,000 passwords. These include some of the expected, easily typed passwords like “123456,” “qwerty,” and, you guessed it, “password.”
Other factors that classify a password as weak include personal information, like names of family members and pets, birthdays and addresses. Cybercriminals can easily discover this information through simple web searches and generate thousands of random password combinations to hack your accounts. Once they’ve matched a correct password to an account, there’s not a lot stopping them from logging into all of your other accounts that use the same credentials. For this reason, websites and applications encourage users to choose numbers, special characters, and combinations of upper and lowercase letters to best protect their passwords. These details add exponentially more possibilities for what your passwords can be, thus making them less predictable for hackers.
Rule number 1: The longer, the better
Rule number 2: One word is not enough
Rule number 3: Easy combinations of characters and symbols are not good
The consequences of negligence are simply too great for any business to risk. In May 2019, graphic design site Canva revealed that four million user accounts containing stolen passwords were shared online in a massive data breach. Adobe faced its own problems in 2015 after a hacker compiled a list containing 150 million usernames and passwords among other confidential data, including credit card information. Adobe was asked to pay $1.1 million in damages for claims that they violated customer privacy rights. Monetary losses are one thing, but the long-term effects of deleted files and persistent spamming can damage your business even more.
Hackers see your company’s stored data as a treasure trove of profitable opportunity. With access to credit card details, they are able to perform unauthorised transactions that are difficult to trace, leaving the rightful owners no choice but to cut their losses and cancel the card. They can also choose to sell this personal data to other cybercriminals or even to advertisers, which puts the rightful owners at major risk of identity theft. Stolen bank account and personal health information can result in daunting cases of blackmail, ransom and even insurance fraud.
Strong passwords are a group effort. You have to depend not only on yourself, but on your employees and colleagues to create and safely store reliable passwords. Prompting them to update their personal passwords on an agreed interval is a good start, one that could be further supported by installing two-factor authentication (2FA) and/or a password manager. The problem with enforcing regular, frequent password changes is that employees can become overwhelmed with trying to remember each new password. They then resort to insecure, weak passwords rather than spending time to create a truly unique one. Focus on quality credentials that are safeguarded with an extra layer of protection like 2FA, and you will have already taken a leap forward in your company’s overall privacy policies.