The password paradox and its impact on UK businesses

An open lock against a computer background.
Image Credit: JanBaby / Pixabay (Image credit: Pixabay)

For decades, major leaders in tech have been predicting that using passwords for authentication would soon become a thing of the past. In the late 1990s, Sun Microsystems co-founder Scott McNealy said that they were inefficient, easily compromised, and on track to be replaced by futuristic technology like biometrics. At a conference in 2004, Bill Gates, stating similar reasons, said their demise was around the corner. So did former Google CEO Eric Schmidt in 2011, pointing to the potential of the newly ubiquitous smartphone as a more secure and convenient way for people to verify their identities.

Here we are in 2024, and the password still reigns supreme. Face ID, fingerprint scanners and two-factor identification have of course become ubiquitous too, but passwords are not only persisting but proliferating across our digital lives. Even as we continue to embrace a wide swath of smart devices and online services, the number of passwords we manage has skyrocketed over the past few years. One recent study shows that the average person juggles passwords for 168 accounts, from social media to banking, and the average number for business-related accounts is 87.

The basic problem with passwords is that they’re too often either easy to guess or difficult to remember. Compared to biometrics and more advanced methods, they’re vulnerable to security breaches and inconvenient as a sole method of authentication. All the while, their staying power can be attributed to their simplicity and broad acceptance.

Generally, passwords can still be effective—as long as they’re sufficiently complex and not reused across multiple sites. The UK government has taken steps to address this by passing legislation that includes preventing the use of universal default passwords for smart devices. Parallel recommendations from the National Cyber Security Centre (NCSC) encourage stronger passwords as well as regularly changing them.

Businesses, on the whole, haven’t been quite so proactive. Looking at data from the UK government compiled over the past eight years reveals a precarious situation for commercial password security, and the financial implications of this can be grave.

Miles Underwood

Payset’s writer focused on technology, economics and their intersection.

Too many businesses in the UK are neglecting password security

Despite the rapid evolution of cybersecurity technologies, the last eight years of government data shows that almost three in ten UK businesses continue to treat password security with a concerning level of neglect. This complacency not only poses risks to the businesses themselves, but to their clients and the broader digital ecosystem.

Year after year, government surveys have painted a consistent picture: While some businesses fortify themselves against cyberattack threats, too many are lax about enforcing strong password policies.

In 2017, 31% of organizations reported having no formal password policy in place. This number saw minor fluctuations in following years, dropping to a low of 19% in 2020 but creeping back up to 28% by 2024. On average, over these eight years, 27% of UK businesses did not enforce critical password security measures.

These statistics reflect a broader trend of inconsistency and underestimation of cybersecurity threats among UK businesses. Weak password policies can easily lead to severe consequences, and the economic impact is stark. For businesses without adequate protections, the price of an attack can include not only immediate financial losses but also long-term damages like legal repercussions and the loss of consumer trust.

The most disruptive cyberattacks can lead to operational paralysis and major financial loss. The UK government's data from 2024 shows that the direct costs of these incidents—ranging from specialist interventions to legal fees—averages £10,830. When considering the broader impact, like data and asset loss, these costs can balloon to as much as £40,400 per incident. Given that 41% of businesses reported experiencing some form of cybersecurity breach annually over the past eight years, the cumulative economic burden is substantial.

The cyber threats for UK businesses

UK businesses face a gauntlet of cyber threats that can compromise their operations and integrity. Here are the key types:

Phishing Attacks: The most prevalent threat, affecting 80% of reported cases, involves deceptive emails or messages designed to steal sensitive information like login credentials and financial data.

Impersonation and Fraud: Attackers often impersonate legitimate companies or contacts to gain trust before extracting critical information, impacting around 29% of businesses.

Malware: Including viruses and spyware, malware is installed without knowledge to corrupt systems or steal data directly, affecting 18% of businesses each year.

Ransomware: This type of attack, affecting 9% of businesses, involves hijacking a company’s data or systems and demanding payment for their release.

Hacking of Online Accounts: Direct attacks on business accounts, especially bank accounts, also pose a significant threat.

Denial of Service (DoS) Attacks: These attacks aim to overload systems and make websites or online services inoperable, thus disrupting business operations.

Insider Threats: Sometimes the risk comes from within, with unauthorized access by staff to sensitive information.

The consequences of these attacks extend beyond the immediate disruptions and financial losses. They can erode customer trust, damage a company’s reputation, and lead to long-term revenue declines. Adding to this, regulatory penalties for failing to protect data come with their own set of financial burdens and legal liabilities.

Nine ways businesses can keep their passwords more secure

While passwords continue to proliferate, there are many ways businesses can protect themselves against cybersecurity threats. Here are the best ones:

1. Use strong, complex passwords

Encourage the creation of passwords that are long (at least 12 characters), and include a mix of uppercase letters, lowercase letters, numbers, and symbols. Avoid common words and predictable patterns.

2. Implement two-factor authentication (2FA)

Adding a second layer of security beyond just a password greatly reduces the risk of unauthorized access. This can involve something the user knows (a password), something the user has (a smartphone or security token), or something the user is (biometric data).

3. Educate employees

Regular training sessions on cybersecurity best practices and the latest phishing scams can heighten awareness and prepare employees to act securely. Phishing simulations can also be a practical tool in training.

4. Regularly update and manage passwords

Use a password manager to generate and store complex passwords. This reduces the burden on people to remember them all, and makes it easy to have unique passwords across multiple sites.

5. Enforce password changes after security incidents

While frequent password changes aren’t generally recommended, it's critical to update passwords immediately following any security breach or suspicious activity.

6. Limit the use of privilege accounts

Ensure that accounts with administrative privileges are only used when necessary, and that they have the strictest security measures. Regular audits of user access rights can help prevent abuse and reduce the risk of insider threats.

7. Monitor and respond to breaches

Implementing security tools that detect unauthorized access and other suspicious activities can enable businesses to respond quickly to potential breaches. Regularly check security settings and access logs to catch incidents early.

8. Secure wireless networks

Ensure that business networks, especially Wi-Fi networks, are secure, encrypted, and hidden. Use network firewalls and segment networks to protect sensitive data.

9. Control physical access

Limit physical access to critical infrastructure to authorized employees only. This helps prevent unauthorized personnel from accessing and potentially compromising systems.

The importance of cyber hygiene

Despite advancements in cybersecurity and the advocacy for more robust authentication methods over the decades, passwords continue to anchor our digital identities. UK government data over the past eight years highlights a stark reality—three in ten UK businesses aren’t paying enough attention to password security.

This indifference exposes businesses to a spectrum of cyber threats, ranging from data breaches to operational disruptions, and these don’t only come with financial costs but can erode trust and damage reputational standing over the long term. Effective password management is the bedrock of cybersecurity. Given the consequences of indifference, it’s resoundingly clear: implementing cyber hygiene practices isn’t just a technical necessity, it’s a business imperative.

We've featured the best business VPN.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

Miles Underwood is Payset’s writer focused on technology, economics and their intersection.