10 mistakes your employees are making with your business’s passwords

Blissful ignorance by employees is, more often than not, the cause of security breaches

Since the dawn of commerce, business owners have acknowledged that their greatest asset is their employees. Since the dawn of the internet, though, cyber-savvy business owners have acknowledged that they are also their greatest liability.

Studies on IT security have a common denominator when it comes to identifying the singlemost weak link in the cybersecurity chain: human beings.

The easy path

It is a natural habit for individuals to want to take the easy path. Whilst that is often put forward as an undesirable attribute in a person, there are advantages too: if there isn’t an easy path, someone will invent one, and the result may be a step forward in technology.

There are times, though, when taking the easy path can have ruinous outcomes in the business world.

In IT systems, user convenience and tight security don’t always occupy the same space, and when employees take the easy path with passwords they put your business at risk.

The mistakes that employees make with passwords are not typically done with malicious intent, or any degree of wilful negligence; it’s often a simple case of ignorance. Most commonly, though, the motivation is one of convenience.

The 10 password mistakes your employees are making

1. Writing down passwords on notes which are kept in full view, or under the keyboard, or in a drawer, or saved in their phone’s contact list under – you guessed it – P!
2. Using the same password for personal accounts and business accounts. If a hacker cracks the password on any of the personal accounts that your employee uses, he or she will try it elsewhere.
3. Using the same password on all work-related accounts. Employees should use separate passwords for separate business accounts, especially if they have different permissions.
4. Using their football team, pet’s name or family names for business passwords. Hackers can and do look up employees on social media sites and use what they find there to crack passwords.
5. Meeting the bare minimum on password requirements. Typical password policies state a minimum of 8 characters, so that’s exactly what employees use. Even with added complexity (numbers, special characters, mixed case letters), shorter passwords are far easier to crack than long ones.
6. Incrementing a digit on the end when asked to change a password. Hackers are well aware of this tendency, which results in easily predictable password patterns.
7. Telling other people their password. Once a password is known by anyone else, even if it’s a colleague, the system becomes less secure, as the other person’s approach to security may not be adequately rigorous.
8. Saving passwords on browsers. By invoking the ‘Save password’ or ‘Remember me’ option on websites, employees leave the door open to hackers.
9. Emailing passwords to themselves so they can work from home, leaving the information in plain text rather than encrypted. Employees mistakenly think that, because email is a widely used communication tool, it must be safe.
10. Logging in to business accounts on unsecured networks or devices. Using a coffee shop’s open Wi-Fi network, for example, or using a personal device that hasn’t been secured, leaves the connection open to snooping.

The road less travelled

If the analogy of the easy path is applied to negligent password practices, it is perhaps not surprising that one can draw an interesting clue to its solution from M Scott Peck’s work, ‘The Road Less Travelled’, in which the noted psychiatrist describes the importance of discipline in achieving a state of well-being.

If discipline is the takeaway, business owners need to be proactive in engaging the cooperation of employees to stop risky password habits. A good place to start is with a written policy on what is, and what is not, acceptable.

Arguably, a company’s security is defined by its weakest password, so owners should raise the bar when it comes to rules for password length and complexity, offering tools to test password strength, and using a password manager with a single pass phrase rather than expecting employees to remember several of them.

The consequences of a breach can be devastating: loss of assets, loss of goodwill, loss of public integrity. A disciplined approach to password policies, protocols and practices is key to maintaining a secure network. Call it a path, call it a road, it’s the only way to go.