If you are a small-business owner, you already are painfully aware that small- and medium-sized businesses are particularly vulnerable to fraud and data theft. Smaller companies tend to lack resources for dedicated information technology (IT) staff or sophisticated security software. Even in companies with an IT department, employees still may use weak passwords, click on questionable links, send work data on unsecured public WiFi, or use outside applications like Dropbox or Google Drive for work.
Small-business owners can start by educating employees on recognizing phishing attacks from hackers trying to steal login or other information or questionable attachments that could pose a threat. Employees should also understand the dangers of spoofed public WiFi networks in which a hacker creates a fake version of a public WiFi hot spot to steal login credentials.
Enabling two-factor authentication whenever possible can help add a layer of login verification. When logging into an account, the employee is prompted for a one-time passcode sent via text message or through a cellphone app. Two-factor authentication can also be done with a tool called YubiKey, a small USB device that is used in combination with a username and password to verify your identity. It provides two-factor authentication with a physical presence rather than a typed code, works on Microsoft Windows, Mac OS X, Linux, and Chrome OS, and is effective in stopping hackers from taking over accounts because the code is needed to complete login, even with a stolen password.
All these suggestions are worth consideration, of course. But if you examine the 2018 Verizon Data Breach Investigations report, the cause in 81 percent of hacking-related breaches can be traced back to stolen or weak passwords. The biggest payoff will come from getting employees to use strong, long, and unique passwords on every website. Consider the use of strong, unique passwords throughout your company as its first line of defense against cyberhackers.
Good password hygiene means the typical employee must memorize and track many, many passwords. One common and insecure practice some companies use is to keep a spreadsheet of passwords to company accounts and services that is shared with everyone in the company, or sending passwords via Slack channels or by email. This approach, unfortunately, makes it impossible to track and control employee access and takes more time and effort to manage. Many times, when you have one-off sharing like this, you can never answer the questions, “Who has access to this account?” and “What does this person have access to?” It also means generating new passwords every time an employee leaves the company.
Because a stolen password can have such a major impact on a small business, more and more companies are using a password manager – an application that stores passwords in an encrypted format and provides secure access to all the password information with the help of a master password. Small businesses often discover value in using a password manager to boost both the company’s productivity and security. The Messaging, Malware and Mobile Anti-Abuse Working Group recommends, in fact, that most people use a password manager and that businesses promote its use among their users, staff, and customers.
Here’s how password managers work:
- It usually installs as a browser plug-in to capture passwords, encrypting them for storage and recovery as well as giving you the ability to use the plug-in for filling in login forms. You have access to your passwords no matter where you are as they are stored “in the cloud.”
- A good password manager will use a strong, secure algorithm to generate strong random passwords for you.
- The password manager tool should encrypt all passwords with a “master key” that you set so no one can read them unless they have your master key. The employee only need remember the one master password.
- Password managers are integrated with web browsers and synced across multiple user devices. Most also offer a browser toolbar menu of saved logins, so you can go straight to a saved site and log in automatically or you can use on shared machines so that you can have access to your passwords securely in a conference room.
- Because typing in a random string of password characters on a smartphone’s tiny keyboard can be challenging, most password managers also sync across Android and iOS devices for easy use on mobile.
Password managers can also help track and manage employee access to login information, so only certain departments or groups in a company have permission for specific company passwords. This makes onboarding new employees or removing access for those leaving the company easier to do and oversee.
Since employees don’t have to remember dozens of different passwords, a good password manager helps eliminate two of the biggest password liabilities: weak passwords and using the same password for multiple accounts. Its combination of storing passwords in an encrypted state and using a strong, secure algorithm to generate random passwords improves overall password strength and security.
I don’t believe there is only one way to generate a password, but I would strongly suggest the use of a password manager. You can look at ours or check this 2018 list of password manager apps for small businesses. Keeping passwords strong and secure should be at the top of every small-business owner’s list when it comes to protecting company assets—and a password manager makes that easier for everyone on your staff.