Whether you did or not, it is what we all do – metaphorically speaking – every day.
Despite knowing the risks, our password hygiene remains poor. Why? We will get to that… but some background first.
Verizon reports that over 80% of breaches within hacking involve brute force or the use of lost or stolen credentials. Essentially, our password habits make it easy for criminals.
Not a day goes by without news of a business falling foul of cyber attacks. According to the UK Government, two in five companies (39%) and a quarter of charities (26%) reported attacks in the last 12 months. And yet, fewer businesses are taking the recommended cyber security measures than the year before. Let’s get back to why that happens.
Despite laughing when we hear that someone’s password is 12345 or qwerty, how many of us can honestly say we aren’t leaving the window open by doing one or more of the following:
- Re-use one password multiple times, justifying it as a “one-off”. But, studies show we re-use passwords, not once, but about 15 times.
- Create passwords with easy to guess – often publicly available – details, like our date of birth, children’s or pet’s name, address, etc. This is not far off leaving the key under the proverbial mat.
- Write down passwords: in notebooks, diaries, Post-It notes or, sometimes, specially-bought password books!
- Store them in Word or Excel files and somehow persuade ourselves that it’s fine because we have password-protected that file.
- Rarely change passwords, especially for those “important accounts”, just in case we forget the changes.
- Share passwords in an insecure manner.
- Don’t use two-factor authentication (2FA, also called multi-factor authentication or MFA), even though many vendors, like Amazon, make the feature available.
- Our email accounts – which are often the mechanism to reset a forgotten password – have the same weak password hygiene. So, basically, if a criminal can guess your email password, they can reset your other passwords much more easily.
But, we are in good company. Studies show this is the same the world over. There is some evidence that big business has recognised the problem and made inroads to addressing it, but most small businesses and individuals have not.
The above are symptoms, not root causes, of poor and worsening password hygiene. Why the decline?
- The sheer number of passwords we need to remember has increased dramatically. A recent report suggests, on average, between 60 and 100 each. That seemed low to me, so I checked my password manager: I currently have 784. The latest addition is for my local council’s refuse app, which brought home how passwords are multiplying.
- There are sometimes legitimate reasons to share passwords, e.g. the accounts department has one account with HMRC. But, it is difficult to share, make changes and keep everyone up to date. So we revert to “easy” instead of “secure”.
- There is a prevalent view that although security breaches happen and security is important, it happens to other people, not to us.
Ultimately, the root cause is human behaviour. And behaviour is hard to change (but not impossible). Behaviour is a lot like water; it will always take the path of least resistance. People are busy, and so you have to make good password behaviour as easy and straightforward as possible.
The aim is to get a “security first” mindset in all your staff. Whether you like it or not, this is the reality for all companies (and individuals) in this Internet age. Here is the strategic overview of lasting improvements around password hygiene:
- Establish why you want to do this. That’s easy: the risks of being hacked are getting worse for individuals and businesses. The consequences can be catastrophic – it is not exaggerating to say companies close down and individuals go bankrupt.
- Recognise that developing new habits is challenging and requires consistent effort.
- Devise an ongoing process and not a one-off set-and-forget task. Asking your staff to sign a password policy that you found on the web isn’t going to produce results.
- Do not underestimate the power of proper training, or how long the training will take to change underlying behaviours.
Specific steps can include:
- Make the changes mandatory across the entire organisation, with you taking the lead. Just one person not complying is the equivalent of that open window – and everyone suffers when you get burgled/hacked.
- Implement 2FA (MFA) on your Office 365 accounts – your email account is critical, like a master key.
- Implement 2FA whenever a provider offers it, and avoid using providers that do not provide this level of security.
- Use a password manager (the same one across the entire organisation), and mandate it. Corporate passwords belong to the company, not the individual.
- However, our strong recommendation is that staff use it for their personal accounts too – if they are security-minded at work, they will be at home too, and vice-versa.
- When you need to share passwords, do it securely.
- Apply auditing features where available.
- Check on progress, and report that progress to all staff – celebrate your success.
- Have contingency plans, e.g. define the processes if a staff member leaves, or is on holiday and has the only account.
- Get external help - anyone who has gone to a gym understands how much more focused the results are when you have a trainer.
Owner managers need to grasp this nettle firmly, and immediately. There is no point in crying over that open window after you are burgled. To illustrate my point, I asked my colleagues at a recent meeting, “Do you know which clients pay proper attention to backup?” There were a few suggestions until one of them hit the nail on the head: “It’s those clients that have just suffered data loss.” I suspect cyber criminals can’t believe how many people leave their windows open when they leave home.
The Final Step has been helping organisations to optimise their IT for more than 30 years. We have a proven, affordable methodology to address all of the above issues and drive permanent change in your organisation. If you would like to have a conversation, without commitment, please call Simon on 020 7572 0000.
 2020 Data Breach Investigations Report, Verizon. This is the 13th edition of this annual report.
 Cyber Security Breaches Survey 2021, Department for Digital, Culture, Media & Sport and Matt Warman MP, 24 March 2021