Cyber Security – Passwords within the workplace

Reading Time: 2 minutes

26 November 2018

Last week we discussed how every day we are using more passwords within our daily life and the usage of password managers to keep them safe.  This week, we are going to stay on the same path but discuss the use of passwords within a business.

Passwords are often considered an annoyance, standing in your way of speedily achieving what you have set out to do, especially if you forget one and need to get it reset, which can take time.  They are generally shared quite carelessly between each other and sometimes even wrote on sticky notes and left in view of everyone.  But have you ever considered that your passwords are keys to access yours and your client’s confidential information?  Think about physical keys to your office, you won’t hand them out to everyone will you, and when you come and go you make sure everywhere is securely locked up (after all, your insurance wouldn’t pay out under circumstances where your office was left unsecured), so why not act in the same manner with passwords?

You’re holding personal client information on your machines that if it got into the wrong hands could be detrimental to both you as a firm and your client.  It is therefore essential that you keep it all under lock and key (by using a STRONG password).  It is also a requirement under the Data Protection Act 2018/GDPR that you have in place appropriate security measures to protect the client’s personal data that you hold.

What is considered a strong password?

If you don’t have access to a password manager as we discussed in our last blog (Insert link), that can automatically generate a strong password, then you must ensure that you are implementing them yourself.  Strong passwords are considered as being, more than 10 characters long, with a mix of uppercase characters, lowercase characters, numbers and special characters.  They should definitely not be something associated with you, e.g your pets name or children’s name.

We understand that within your office there will be a need for more than one person to have access to particular accounts or websites, for example, social media accounts.  As the use of social media in business grows, it’s becoming more common that different members of staff will need to jump on and tweet and engage with clients but have you thought about what happens if one of those members of staff leave under sour circumstances, yet they still have the password to your social media?  They could very easily tarnish your brand’s reputation with a few unsavoury tweets/posts and trying to rebuild trust with clients following this will be very hard.

If you are the firm’s owner, you need to ensure that only you and the people you wholeheartedly trust have overall admin access rights.  It is also important that accounts such as social media are registered against your business admin email address or one that only you have access to so if you ever did need to reset it following on from a member of staff leaving, you can do this without anything being compromised.

It is also important to have a process in place to ensure members of staff who leave the firm can no longer access accounts/websites with company information.  We would recommend keeping a log of business accounts so these can be traced and reset if this happens.