via ICAEW Insights
Despite the increasing risk of serious data breaches and cyberattacks, many organisations fall at the first hurdle, with poor password security opening the door to cybercriminals. We offer advice on making passwords more secure.
If you’re still reverting to ‘Admin123’ as a default password, the reality is you’re not alone. Faced with endless passwords needed to access the many IT systems on which we all rely, the temptation to take shortcuts is clear; Verizon’s 2020 Data Breach Investigations Report (DBIR) revealed that over 80% of data breaches are caused by weak or stolen passwords.
With cybercrime on the rise and the growing risk of data breaches exposing sensitive data including customer data and financial information, digital safeguarding has never been more important.
According to the BBC’s Panorama programme, one password was all it took for a ransomware gang to destroy 158-year-old Northamptonshire transport company KNP and put its 700 employees out of work. KNP said its IT complied with industry standards and it had taken out insurance against cyberattack. But still a gang of hackers infiltrated the system, leaving staff unable to access any of the data needed to run the business, and demanded a ransom for the company to get the data back.
More recently, household-name retailers including M&S, Harrods and Co-op have all been targeted by cybercriminals. In M&S’s case, it is believed that the issue there wasn’t weak passwords, but a weak process for password resets. The National Cyber Security Centre (NCSC) handles major cyberattacks daily and warns that most start with one weak link – like a reused or guessable password.
In short, passwords remain a primary entry point for hackers to prey on vulnerable businesses and individuals. No matter how secure you think yours is, there’s always a way to make things safer.
Ten password security best practices
Use strong and unique passwords – Don’t use the same password across multiple sites, as this can make all your accounts vulnerable. Enforce clear policies on password complexity that match the organisation’s specific risks – require passwords with a mix of upper- and lower-case letters, numbers, and special characters. Passphrases offer a good balance – they can be long and complex while still memorable.
Provide clear cybersecurity guidance and support – The real takeaway isn’t just that users make mistakes, it’s that systems still depend on them not to, warns Steven Furnell, Professor of Cyber Security at the University of Nottingham. “We know people often choose poor passwords, so if they’re the first line of defence for an organisation, organisations should provide clear guidance and support so users understand how to create and manage passwords effectively. Most people do better when they know what’s expected and why it matters.”
Mandate multi-factor authentication – Add an extra layer of protection by requiring a second verification step in addition to a password. This significantly reduces the risk of unauthorised access – even if passwords are compromised. Rather than sending a code to a user’s phone, opt for authenticator apps that randomly generate six digit codes that refresh every minute, or biometric authentication.
Regularly audit access controls – Routine password reviews are essential to staying ahead of potential threats. Changing your passwords regularly – experts recommend every three to six months – minimises the risk of ongoing exposure in the event of a data breach. The website HaveIBeenPwned offers a free tool to check individual passwords and account details and an application programming interface (API) service for checking vulnerable passwords.
Use a password manager – This reduces the risk of using weak or reused passwords by generating unique and complex passwords. It also stores them securely so users don’t need to worry about remembering dozens of unique ones. But Furnell warns that password managers can only assist if the features are properly implemented.
Be cautious of phishing scams – Always verify the source of emails or messages requesting login credentials and don’t click on suspicious links that could be phishing attempts if you are even the slightest bit unsure. Check that websites are secure before entering any details, and confirm messages received are legitimate before opening links that may look suspicious.
Engage in regular training – Human error is a major vulnerability. Deliver regular staff training on password best practices and the latest phishing, to maintain a healthy scepticism toward unexpected login prompts or credential requests. The importance of data security protocols should be embedded in your onboarding and compliance programmes and not treated as an afterthought. When employees understand why these rules exist, they are far more likely to follow them properly.
Nurture a culture of collective responsibility – Make sure staff are aware that password security is everyone’s responsibility, not just that of IT. Ensure your organisation communicates clearly the collective responsibility to reassess their password security practices and take action to create strong passwords.
Have safeguards built in – Richard Cassidy, EMEA CISO at cybersecurity company Rubrik, says it’s essential to have strong access controls across your IT ecosystem: “Limit access to sensitive data and systems to ensure employees have only the permissions necessary to perform their job duties.” Meanwhile, keep all software, operating systems and security tools updated with the latest patches. And check whether your service providers support suspicious activity notifications such as logins from new devices or unusual locations.
Prepare for the worst – Having a response and recovery plan will ensure that if the worst does happen, you can mitigate the disruption and be back up on your feet sooner rather than later. “Create an incident response plan to ensure that if an attack does happen data is safe, has been regularly backed up and is secure, so you can hit the ground running again,” Cassidy says. The NCSC offers useful tips on preparing for a cyber incident, from response through to recovery.
Poor password hygiene is not just a technical concern – it’s a direct risk to client confidentiality, financial data and overall business resilience, warns Vivek Dodd, CEO at compliance training provider Skillcast: “The firms that invest in these measures are not only enhancing their defences and boosting password security, but also demonstrating accountability and professionalism to clients, regulators and stakeholders alike.”
Ian Pay, ICAEW’s Head of Data Analytics and Tech, says: “While it is very easy to get carried away with the latest technologies, and seek to prevent criminals from using them to perpetrate sophisticated attacks, the simple fact remains that the significant majority of cyber incidents are password-related.”
A more radical option is to consider doing away with passwords entirely. Passkeys are seen by many as a way to replace traditional login approaches. Google, Microsoft, Facebook and several banks already adopt and actively encourage setting passkeys as the default login option.
In the meantime, individuals and organisations all need to take responsibility for how they manage passwords, to ensure that they don’t become just another cyber breach statistic, Pay says: “That’s more than just enforcing complex passwords – it’s ensuring that access to sensitive information does not rely solely on them.
“If technological competence is now a part of ICAEW’s Code of Ethics, then an understanding of password best practices is surely the bare minimum expected of an ICAEW Chartered Accountant.”
