Small Business Security: The Power of Strong Passwords

In today’s digital landscape, password security is a critical component for safeguarding sensitive information. Small organisations often face unique challenges in implementing robust security measures. And, without dedicated resources, I am confident that the majority of small business owners will have to rely heavily on external consultative organisations. This is not a pitch for a vCISO service; rather, it is based on my own personal experience working for and managing a small business in the past.

What prompted this brain fart? I was discussing password security with someone I know who works for a family-run company. They hired an outside firm to assess their security. In addition to other complex guidelines, one recommendation was to use passwords with 15 characters and change them frequently. I was curious about where they got this guidance.

As someone who works in security, I consider how user-friendly it is. I'm not sure if I support passwords with 15 characters or not. When employees need to update their password, they may simply write it down on sticky notes or add "123" because most individuals find it difficult to remember such long passwords.

What guidance is available based on industry best practices? Both the National Cyber Security Centre (NCSC) and the National Institute of Standards and Technology (NIST) provide comprehensive guidelines to bolster password security. Additionally, the NCSC's Cyber Essentials Plus standard offers specific requirements for small businesses. Here’s a summary of their key recommendations:?

1. Use Longer Passwords

NCSC: Advocates for using passphrases consisting of three random words, creating strong yet memorable passwords. NIST: Recommends passwords be at least 8 characters long, ideally longer, to enhance security.

2. Avoid Frequent Password Changes

NCSC: Advises against mandatory frequent password changes, as it can lead to predictable patterns. Change passwords only if there’s evidence of compromise. NIST: Supports this, suggesting password changes only when there’s an indication of a breach.

3. Enable Multi-Factor Authentication (MFA)

Both NCSC and NIST strongly advocate for the use of MFA. This adds an extra layer of security by requiring an additional verification step beyond just the password.

4. Implement Password Managers

NCSC: Recommends the use of password managers to generate and store complex passwords, reducing the burden on users. NIST: Echoes this recommendation, highlighting that password managers help maintain unique passwords for different accounts.

5. Screen New Passwords Against Common Breaches

NCSC: Suggests using services that check passwords against known breach databases to prevent the reuse of compromised passwords. NIST: Also recommends checking new passwords against lists of commonly used or compromised passwords.

6. Educate and Train Staff

Both organizations emphasize the importance of regular training and awareness programs to ensure staff understand and follow best practices for password security.

NCSC Cyber Essentials Plus Password Requirements

For small organizations aiming to achieve the Cyber Essentials Plus certification, the NCSC mandates specific password requirements:

• Default Passwords: Default manufacturer passwords must be changed to unique, strong passwords.
• Password Policy: Enforce a password policy that mandates strong, unique passwords for different accounts.
• Complexity and Length: Passwords must be at least 8 characters long and should ideally include a mix of uppercase letters, lowercase letters, numbers, and special characters.
• User Account Protection: Implement account lockout mechanisms to protect against brute force attacks.

By adopting these recommendations and adhering to the Cyber Essentials Plus requirements, small organisations can significantly enhance their cybersecurity posture, reducing the risk of unauthorised access and data breaches. While implementing these measures may seem daunting, the long-term benefits of enhanced security and reduced risk are well worth the effort.

What would be my message then to a small business owner - I would reccomend using a combination of the above to make the experiance as simple for the human. Humans are fallibla and we all need simplicity. We don't intentially chose insecure passwords, we just want life to be simple. If organisations could implement methods like single sign on and using MFA, then we might all be secure wih best intentsions. But we (I) could discuss in more depth but that is not the intent of this article.

My main takeaway from the discussion was the feedback from the employees impacted by this recommendation from the security testing, and I don't personally think the person writing this report is using the latest guidance and has little experience dealing with regular people who just want to log on to their workstation or laptop and get on with work.