Why passwords just don't cut it anymore

Passwords are no longer a strong enough form of protection

No matter how complex it is, a password alone is no longer a reliable means to keep your business secure. Recent data breaches have shown how easy passwords now are to acquire: attackers often target an employee in a 'phishing' attack, getting access to your network and crucially, your company data.

With biometrics yet to make huge waves, it's likely the password will continue to appear in security scenarios for a while yet. However, experts recommend that it forms only a part of your authentication process, rather than its entirety.

Complexity and management is important: SMBs are often guilty of using the same password for multiple accounts, meaning once attackers are in, they have access to all your systems.

Worse still, according to Dan Power, Sales Director at OneLogin: "Often, where the password is shared, the complexity is pretty weak."

"Even down to things as simple as access to the FedEx account, we find there is no process for changing the password when people leave the company," he adds.

Monitoring your network

Yet if passwords don't work, how can an SMB stay secure? Experts recommend monitoring your network and detecting attacks as they happen. Security has traditionally centred on prevention, but this isn't working, says Jeremy Bergsman, Head of the information risk division of business advisory firm CEB.

He advises firms to look at appointing a 'hunter' to monitor systems for suspicious network traffic. "This [hunter] is spotting things as they happen - rather than pre-empting them," he explains, adding that they are becoming increasingly popular in financial service firms, pharmaceutical companies and "anyone who's targeted by organised crime".

In the past, monitoring involved simply watching for alerts from systems, says Bergsman. "But the 'hunter' is actively going out and looking for strange behaviour – they have the unique ability to spot indicators of compromise."

Ideally, says Bergsman, the 'hunter' should be able to simultaneously think from the attacker's perspective as well as the SMB's. The job can be one that small businesses outsource, but it does require some familiarity with your systems: "People are outsourcing the traditional monitoring, so maybe outsource the hunter instead," he advises.


With attacks almost always starting with a person, through means such as phishing emails, educating employees is also very important. This should form part of a layered approach to security, experts agree, and free tools are available for smaller SMBs.

But part of this layered approach includes authentication: so if passwords aren't cutting it, what works? Pattern-based security setups such as those used for Android lock screens are on offer, says Catalin Cosoi, Chief Security Strategist at Bitdefender. But it is likely that a way will be eventually found to compromise them.

Instead, he adds: "A very interesting option is provided by one-time password setups. The key fob token generators seem to be the most successful so far as a means of authorising specific financial transactions: they offer a lot of security for very little inconvenience."

SMBs could also use biometrics for a secure method of physical access to the cloud, says Peter Jones, Business Manager of security solutions, information systems group, Hitachi Europe. "As companies look at cloud entitlement and access becomes more critical to manage, you can use biometric as an entrance to the cloud. Biometrics are a stronger method for access to systems or for transactions," he says.

OneLogin offers identity management and single sign-on for SMBs to access cloud services. Meanwhile, security firm VASCO offers cloud-based two-factor authentication for SMBs that deal with transactions, through its scalable Mydigipass.com platform.

As security threats widen, a layered approach that includes monitoring is key. The password isn't dead yet, but it's certainly not secure enough on its own.