How SMBs can nail their password policy

Sensible security: People and passwords
Sensible security

Before acting on their first lines of defence and thinking about passwords, organisations must recognise the two main types of security breach. These can broadly fall into a) opportunistic, and b) planned.


Opportunistic hackers will often see an 'open door' and take the opportunity to attack a company. The motivations are to gain kudos or out of boredom and rarely have a fixed goal. And of course, hackers can't resist the temptation when companies leave the backdoor to their IT systems wide open.

Research shows too many people still use '123456' or 'password' as their login, so unsurprisingly the use of insecure passwords is the most common way for a hacker to access sensitive information.

Lots of small businesses do not have a password policy, so employees will often use the 2-3 passwords they remember easily and replicate these across work and home accounts.


There is a much easier way to get someone's master password: just ask for it. Commonly known as 'social engineering', calling up a company and claiming to be the IT department, or just looking over the shoulder of someone typing in their password is still the most effective method for accessing a secure network.

Tips for better passwords

1. Create a password policy and educate employees on how your business can secure itself from password insecurities.

2. Do an audit:

  • Identification – Look at what areas of your IT systems require passwords. Identify all devices that then connect to those systems.
  • Notification - Collate information on which areas and devices need passwords and levels of access given to each. This will allow you to apply rules about security levels.
  • Assess risk – Talk through multiple scenarios, identifying the risks, the probability and the likelihood these will happen. The more likely a risk has of materialising, the higher the security should be in this area.
  • Test – Testing out the scenarios will allow you to identify details which may have been overlooked and which could create weak spots.
  • Review – Review the password policy regularly to ensure it is meeting your security needs.

3. Make sure all passwords are different and complex; set rules about length, inclusion of certain types of characters (most people use dictionary words, sequences (654321), spatial patterns (qweasd), repeats (aaaaaaaa) or a combination).

4. Use a free or low cost password manager service such as LastPass or KeyPassX for your employees. This will allow complex password creation, plus they are stored centrally so the user only needs one password to access the site.

5. If a password manager is not applicable use multi-factor authentication like YubiKey. This means you can use any strength of password but access is only granted from a listed IP address, a USB key, or perhaps even a fingerprint (depending on the security features of your laptop or computer).

6. Ask users not to plug in random USB drives (e.g. ones given out at conferences).

7. Educate employees not to give out passwords, email addresses, usernames, etc. over the phone or by email, without authorisation.

Today, SMEs need to be more pragmatic in their approach to password policies. The level of security (and ultimately barriers that decrease usability) depends on how big your risk factors are and these factors will determine how far you need to go with password security.

If you have other tips, please comment below or contact me on @JackBP_4D with the hashtag #ITsecurity.

  • Jack Bedell-Pearce has over 12 years of commercial, operational and technical experience. He is responsible for the day-to-day running of 4D Data Centres, a colocation and connectivity supplier for SMEs in the South East.