employee password on screen

Two of the weakest points in your cyber security position are your employees behaviour (clicking risky links, opening bad attachments) and their passwords, because they are weak and easy to crack. This is true for large enterprise companies and small business alike. The good news is, secure password enforcement is fairly easy to lock down. This post is an overview of why you need password management for your small business, and how to get it.

For starters, here are some things you want to block your employees from being able to do:

  • Use short passwords of 8 characters or less
  • Use their name in the password (eg, Julia1974, Paul54321)
  • Use your company name in the password (CompanyName1234, CompanyNamelogin)
  • Use any “all star passwords” – these are common password lists distributed on the net, with more in depth lists sold on the dark web – here is a wiki entry with a basic all star password list
  • Re-use their last password, in case it was compromised
  • Re-use a password from another account

Now let’s get in to they why and the how you can do the above.


Why You Need Password Management Rules For Your Small Business

You need strong password security to protect your business from automated cyber attacks such as password spraying and password cracking.

These attacks do not discriminate. For the hacker, they are easy to setup, run automatically, and have no regard for how large or small your business is. Every password and sensitive piece of information cracked can either be used to further breach your company, breach your partners or clients, or be sold on the dark web. If you think that no one would bother to target your business, think again. Every business is a target, and small business is targeted and breached more often, as SMB’s are known to be lax in their cyber security.

You can use tools such as Microsoft Secure Score and also work with an IT Consultant to assess your current IT security posture and plan necessary improvements.


Why Password Policy Documents Are Not Enough

You may have a written password policy for your company, and expect your team to abide by it. Research shows time and again that computer users will not comply with policies and will skirt security settings if they can. This is why you need technical tools and IT technicians to enforce your policies and protect your business.

In a recent study performed by GoSecure, it was found that 60% of companies reported to have a password policy in place. So how were penetration testers able to crack company passwords to the tune of 98%? They simply used all star password lists and suggestions to crack user passwords.

All star password lists are lists of the most common passwords used, and the most common password patterns used. By using a common pattern, a password can be easily guessed and a company compromised. Some of the common patterns checked for are:

  • Username1234!
  • CompanyName1234!
  • And other such common variants

So technically, an employee at your company who uses a password like CompanyName1234! Meets the security policy you wrote out which requires:

  • An 8 character or longer password
  • A number
  • A symbol
  • A capital letter

However, this common pattern is easy to crack.

To improve security you will need to block user names and company names from being used in your company passwords. And you can do this with the right tools. A password filter is the tool used to block your employees from using these common patterns. Microsoft’s password filter tools will work for most businesses using Windows products.

To further improve password security, instruct your team to avoid using any publicly available information in their passwords. It is common for hackers to Facebook, LinkedIn, or Instagram for clues to a user’s password.

Finally, regularly audit user accounts and failed password attempts. Inactive accounts are weak points in your cyber security posture and should be deactivated. Failed password attempts can indicate attempted breach or at-risk accounts.


How To Enforce Password Rules In A Small Business (Hint: You will need an IT Management Company)

There are several methods for enforcing password rules, and the right one for you will depend on your network setup, or cloud services setup. Either way, you will need an IT Administrator to setup and manage your password policies and IT Security policies.

For most small business, there is no in house IT Administrator with the right skills. Trying to skirt cyber security or DIY such things these days is a foolish mistake that will likely lead to costly problems. This is why more small and medium businesses are turning to a Managed IT Services Provider who will setup, manage and maintain their IT systems for them.

What you will need to look for is a company to setup, configure and manage your domain, your DNS records, your company email accounts and user accounts along with permission settings for each user group, as well as company wide cyber security policies, and your Identity Access Control system.

A break and fix hourly computer technician service will not suffice for this level of comprehensive IT management. To meet best practices today, you need to be using certain tool sets that require ongoing administration by a qualified IT professional. Ongoing monitoring and changes will be needed to protect accounts.

You should be prepared to undergo some initial systems changes and configurations to setup the appropriate tools and policies your company needs. From there, the systems will be maintained by the Managed Provider, and your team can open a ticket should they need any technical support with anything, whether related to an IT security issue or any computer problem at all.

Your MSP may recommend a password manager for your team. This can be helpful in enforcing strong, secure passwords that are long, complex and difficult for users to remember. The small extra step of using a password manager app is offset by the large jump in password security you gain across your organization.

Making the change from no IT security and occasional break & fix help when something goes wrong, to monthly managed IT services can feel excessive, however global and Canadian cyber security research such that it is exactly what is required to navigate today’s cyber threats.

Companies that make the switch report less computer problems, less frustration, and more support for achieving business outcomes with technical support. Positive outcomes are good for business.


TUCU is a Toronto Managed Service Provider for small business. We help companies grow by securing and managing their IT systems and helping them meet business goals year after year. We invite you to schedule a free phone consultation to discover how we can help you.