Cyber safety: what’s your password?

Experts explain what a weak password looks like, why it can be so dangerous and how to make sure your company’s cyber defence is as strong as possible.

Where SMEs are going wrong

According to research by identity management provider OneLogin, some 85% of IT decision-makers in the UK believe they have adequate password measures in place, yet many are failing to enforce even the most basic standards. Of 600 businesses surveyed, only 37% required employees to check their passwords against common password lists, 39% don’t require staff to use special characters and only 52% ask for passwords to be changed every three months. A report from Verizon, meanwhile, found that a staggering 81% of hacking-related data breaches stem from stolen and/or weak passwords.

A solid password infrastructure extends beyond a strong password itself – although that’s also critical. Adam Levin, founder of CyberScout, which provides SMEs with solutions to cyber attacks, says one of the biggest issues he encounters is companies relying on factory default settings. “Most connected devices come from the manufacturer secured with a default password, which is often standard across all product lines and therefore searchable on the internet,” he says.

Reusing passwords – or using similar passwords – is another common mistake. “This expands your company’s attackable surface,” says Levin. “Once an attacker has cracked one password, they have access everywhere, as do other attackers, since billions of user ID/password combinations are readily available on the dark web.”

And while you might think you’re ahead of the game by changing passwords frequently, too many SMEs focus on regularity instead of strength, adds Levin. “A weak password that’s changed every 30 days is less secure than a strong password changed every 90 days,” he says. “If you’re not careful, regular password changes can result in insecure practices, such as easy-to-remember iterations that are easier to crack, or writing them on sticky notes attached to the device they’re designed to protect.”

What makes a strong password?

Some passwords are obviously weak, yet the likes of ‘12345’, ‘qwerty’, ‘letmein’ and easy-to-guess phrases such as pet names, football clubs and birthplaces consistently appear on published password lists. These lists are often used to promote password awareness, but can also be used as jumping-off point for cyber criminals who use sophisticated software to crack passwords easily – increasingly smart iterations of these programmes can also be fed data about a user, such as the names of their children or favourite sports team, to hack passwords even faster.

“Weak passwords are short and comprised of single common words,” says Tim Holman, founder and CEO of cyber-security company 2-sec. “An eight-character password, no matter how complex, can be cracked in a few hours.” He advises using a minimum of 12 characters and says a “good rule of thumb” is to use three random words with a scattering of upper and lower case letters, plus a number and special characters. “For example, ‘CupRainbow5House!’ – a password like this is easy to remember, so it doesn’t need to be written down. It’s also nearly impossible to guess and would take a computer years to crack.”

How does BYOD fit into password management?

Bring your own device (BYOD) is becoming increasingly common in the workplace, particularly in smaller businesses and start-ups where employees have more flexible working arrangements. However, Levin says: “When it comes to cyber security, BYOD might as well be BYOB – bring your own bomb.

A weak password that’s changed every 30 days is less secure than a strong password changed every 90 days

Adam Levin
Founder of CyberScout

“Many SMEs allow their managers and employees to access company systems and infrastructure on their own devices. This is a major risk.”

In an ideal scenario, Levin says that organisations would provide secure mobile devices to staff on the proviso they are only used for work purposes. If this is unfeasible, he says it’s absolutely imperative that you demand adherence to a strict security policy.

Why are weak passwords so dangerous and costly to SMEs and start-ups?

It’s front-page news when big companies are hit by a data breach, and costs can spiral into the millions. But many SMEs believe they’re too small to attract the attention of a hacker – sometimes called the ‘security by obscurity’ approach.

Chris Wallis, founder of cyber-security platform Intruder, says: “Smaller businesses often think they’re not in the firing line –unfortunately, the opposite is true. Having fewer resources for cyber security often makes them a weaker target, and combining that with a lax approach can lead to costly data breaches, or ransom attacks where hackers tie up important documents and demand money to release them.”

According to a recent YouGov survey, the average cost of a data breach at an SME is £35,000. But that cost is dwarfed by other factors: reputational damage and the loss of intellectual property stemming from a successful cyber attack can be ruinous.

How can you create better passwords?

With ineffective password management an ongoing problem, there are now numerous tools available to make security a more straightforward process.

Aaron Nolan, cyber security expert at Spector, which provides IT support and risk management for SMEs, says: “First, there’s a password manager. This is software for your computer that creates strong passwords and stores them safely. You only have to remember one password to access the tool, and it will create randomised strong passwords for you to copy and paste when you need them.

“Then there are multi-factor authentication tools – called MFAs. These give you an additional layer of protection, as you need to prove to the tool that you’re the one accessing the account. So once you’ve inputted your password, you’ll also need to confirm it’s really you with a code sent to your phone, or some other identifier, such as a fingerprint.

“If a hacker stole your password, they wouldn’t be able to get in unless they’d also got hold of whatever MFA method you’re using, which is incredibly difficult, if not impossible.”

Can you stay one step ahead of the hackers?

Arne Uppheim, senior director of product management at cyber-security solutions company Avast, has a sobering message for SMEs. “Cyber attacks are evolving in sophistication daily, and criminals are already abusing new technologies to launch aggressive attacks that can bypass threat detection systems,” he says.

As such, he adds, education and training for employees is fundamental. “Keep up to date with best practice, follow the news and ensure your staff are well-informed, and you’re much less likely to find yourself on the receiving end of a crippling attack.”

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top