Why Your Small Business Needs Strong Passwords and Trusted Access
I was reading this BBC article https://www.bbc.co.uk/news/articles/cx2gx28815wo about how one password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work and thought that I’d write this article to discuss strong passwords and the need for trusted access to your systems.
Running a small business is tough enough without worrying about hackers, scammers, or dodgy ex-employees messing things up. But sadly, the reality is that cyber threats are everywhere. One dodgy password or a bit of careless access can bring your whole business to a halt. Sounds dramatic, but it’s true.
In this post, we’re talking about two super important things every small business owner should take seriously: using proper, strong passwords (none of this ‘123456’ rubbish) and making sure you only give access to systems and info to people you actually trust.
Why Passwords Still Matter (A Lot!)
We’ve all heard it before: “Use strong passwords.” But let’s be honest – how many of us still use the same old password we made up ten years ago because we can’t be bothered to change it? After all, there are reports that the average person has 168 personal passwords and maybe another 90ish that are work related ( https://nordpass.com/blog/how-many-passwords-does-average-person-have/ )
Here’s the thing. Weak passwords are like using a plastic bag to lock your front door. It might keep out the wind, but not much else. Hackers don’t even need to be clever these days – they’ve got tools that can guess weak passwords in seconds.
Common Password Mistakes
- Using names or birthdays: Your dog’s name and your kid’s birthday aren’t secrets, especially if you’ve got them all over social media.
- Repeating passwords: Using the same password for everything means if one site gets hacked, they all do.
- Short passwords: The shorter it is, the easier it is to crack. Simple as that.
- Sticking with defaults: Lots of systems come with a default username and password like ‘admin’ and ‘password’. That’s basically an open invite for trouble.
What Makes a Strong Password?
A good password needs to be long, random, and difficult to guess – even for someone who knows you well. Think of it like a padlock. Would you rather use a flimsy one from a pound shop or a proper heavy-duty one?
Tips for Creating Strong Passwords
- Use at least 12 characters: Longer is better. Every extra character makes it harder to crack.
- Mix things up: Use upper and lower case letters, numbers, and symbols.
- Avoid obvious stuff: Don’t use names, places, birthdays, or words from the dictionary.
- Make it random: Use a password manager to generate proper random passwords if you can. They’re way better than anything we can come up with ourselves.
- Use the three word method: By using random words you can make them memorable to you but almost impossible to guess.
- Use some other method : Personally I use something called a Qwerty card – this is a simple plastic card that goes in your wallet for easy to remember very strong passwords. You can find out more on this link (An Amazon affiliate link that costs you no extra, even if you buy one – or more).
Here’s an example of a strong password: V7&u@2Lp!z#xFq91. No one’s guessing that anytime soon, of course that may be difficult to remember but BiologyFingerVibrant%)68 is more memorable and just as difficult.
What About Password Managers?
Password managers are tools that store all your passwords securely in one place. You only need to remember one strong master password, and the rest is sorted. They’re especially handy for small businesses, where you might have loads of logins for different tools and services.
Why They’re Worth Using
- No need to remember everything: Just the one password to rule them all.
- They generate strong passwords: Most password managers have built-in generators that create complex passwords for you.
- They fill in passwords automatically: Saves time and avoids typing errors.
- They keep things secure: The good ones use serious encryption to protect your data.
Some popular password managers for small businesses include LastPass, 1Password, Dashlane, and Bitwarden. They all have pros and cons, so do a bit of research and pick one that suits your needs. and that you trust.
Only Give Access to People You Actually Trust
This one might sound obvious, but you’d be surprised how many small businesses hand out passwords and admin access like it’s a freebie giveaway. Just because someone works with you doesn’t mean they need access to everything.
Think of your business systems like rooms in a house. You wouldn’t give the cleaner the keys to your safe or the plumber access to your home office, would you? Same logic applies here.
Levels of Trust Matter
There’s a difference between trusting someone to do their job and trusting them with sensitive information. You might trust your part-time assistant to post on social media, but that doesn’t mean they should be able to access your company bank account.
Before giving anyone access to a system, ask yourself:
- Do they actually need it to do their job?
- Do they understand how to use it safely?
- What could go wrong if they mess it up?
- How much do I trust this person, really?
Things That Can Go Wrong (And Often Do)
Let’s look at what can happen when the wrong person gets access:
- Accidental damage: Someone presses the wrong button and deletes your whole website. Oops.
- Data leaks: A disgruntled ex-employee leaks customer info out of spite.
- Financial loss: Someone with access to your online banking goes rogue. Bye-bye business savings.
- Reputation damage: One slip-up and suddenly customers don’t trust you anymore.
Use Access Levels and Permissions
Most systems (like your website, cloud storage, or payment tools) let you set different access levels. Use them! Not everyone needs admin rights. Give people just enough access to do their job and nothing more.
Examples of Smart Access Control
- Social media: Use tools like Buffer or Hootsuite so staff can post without having the login details.
- Website admin: Set up different user roles in WordPress, like editor or contributor, rather than giving everyone full control.
- Shared files: On Google Drive or Dropbox, give ‘view only’ access unless someone needs to edit something.
- Banking: Set up limited access for your bookkeeper, or use read-only access where possible.
What to Do When Someone Leaves
Whether it’s an employee, freelancer, or someone who helped out on a short-term project, you need a process for when they move on. If someone leaves and still has access, it’s like letting a former housemate keep a copy of your keys.
Steps to Take
- Change shared passwords: Immediately. Don’t wait. Even if you think they’re trustworthy.
- Remove them from systems: Revoke access to email, cloud storage, social media, project tools, and anything else they used.
- Collect devices: If you gave them a company phone or laptop, get it back.
- Update your records: Keep a list of who has access to what, and keep it up to date.
How Often Should You Update Passwords?
This is a bit of a tricky one. Old advice used to say “change your password every 30 days.” But now the experts say it’s more important to use strong passwords and only change them if there’s a reason to – like a security breach or a member of staff leaving.
If you’re using a password manager and have unique, strong passwords for everything, you probably don’t need to change them all the time. But if there’s ever a chance they’ve been compromised, change them straight away.
Two-Factor Authentication: Just Do It
Two-factor authentication (2FA) is an extra layer of security on top of your password. Even if someone guesses your password, they can’t get in unless they’ve also got access to your phone or email. It’s like a second lock on your door.
2FA requires users to provide two different forms of identification to verify their identity when logging in, making it significantly harder for unauthorized individuals to access accounts.
The user enters their username and password, which is the first factor of authentication.
After entering the password, the user is prompted to provide a second piece of information, which could be:
- A code from an authenticator app: This code is generated by an app on the user’s smartphone or other device.
- A code sent via SMS: A text message containing a code is sent to the user’s phone number.
- A security key: A physical device that the user plugs into their computer.
- Biometric data: Such as fingerprints or facial recognition.
Where to Use 2FA
- Email accounts
- Banking and financial apps
- Cloud storage (Google Drive, Dropbox, etc.)
- Social media platforms
- Website admin panels
Many of these platforms will prompt you to set up 2FA. If they don’t, check the settings. It’s well worth the few seconds it takes each time you log in.
Final Thoughts
Look, no one starts a small business thinking, “Can’t wait to sort out my password policies!” But the truth is, getting this stuff right could save you a ton of stress, hassle, and money down the line.
Use strong, unique passwords for everything. Don’t hand over access unless it’s 100% necessary. And when someone moves on, make sure they’re locked out straight away. It’s not about being paranoid – it’s about being smart.
Your business is worth protecting. Even if it’s just you and a laptop in your spare room, the information you have – from customer data to payment details – is valuable. Don’t make it easy for someone to take it away from you.