Millions of employees fail password basics. Do yours?


Read time

How many of your employees have a guessable password? We are seeing a rise in business email compromise claims and cyber incidents are becoming increasingly commonplace. It’s more important than ever that people understand the role they play in keeping the business – and themselves - safe. 

With Cyber risks now rated within the top three global business risks; staying safe online is an important element of risk management. With a rise in business email compromise claims and cyber incidents becoming an increasingly common occurrence, one of the basics such as password security is a must.

The UK’s Government Communications Headquarters (GCHQ) ran a cyber survey in 2019 and found a major link between weak passwords and cyber crime.  They found that 23.2m cyber victims worldwide had used the easy-to-hack password  ‘123456’, another 7.7m used ‘123456789’, 3.8m used ‘qwerty’ and 3.6m even used the word ‘password’ itself!

So, it is now more important than ever that all employees, members, consultants and so on - within your business are aware of the risks linked to password security and the role that they play in keeping themselves and businesses safe online. 

Be random

The National Cyber Security Centre (NCSC) recommends that selecting a purely random group of three words can make a strong, hard-to-guess password. For example, “ElephantCornflakeBonzai” is unlikely to feature on any of the dark web’s available datasheets of common, guessable passwords.   


Avoid password reuse 

Another avoidable issue in addition to easy to hack passwords is password re-use. 

For example; if you use the same password for your work email, your different work permissions across the company Network, your personal email and also all of your social media - you create untold opportunity for hackers to gain access to a range of data and information and put yourself and others at risk. 

Consider a password manager

A recommended way to strengthen your passwords is by using a password manager. 

This software helps generate and retrieve complex passwords and stores them in an encrypted database. Businesses can also introduce (MFA) Multi-factor authentication which requires in addition to a password, another piece of unique data to confirm identity when logging in. 

Examples of unique data could be challenge/response questions of obscure personal information, PIN numbers or magnetic stripe cards with security codes. 

Choosing your own password? Follow these golden rules
  • Don’t use the same password more than once
  • Don’t use a word or phrase of special importance to you (like a birthday, family member or football team). That kind of information can be found online.
  • Avoid number sequences – many work systems won’t accept them anyway
  • Make sure it’s long enough – between eight and 14 characters
  • Use a mix of upper and lower-case letters and symbols
  • A random group of 3 words can also be a strong password and is recommended by the National Cyber Security Centre (NCSC)
  • Update your passwords regularly.
The value of cyber insurance:

Unfortunately, businesses are unlikely to be able to fend off every threat that they face, as there are so many evolving risk factors today and attackers are becoming more sophisticated every day. 

While certainly useful, the above advice won’t protect you from phishing, malware or code injections for example.

In the event that you do suffer a cyber incident be confident that you have a Cyber Insurance policy in place to assist you with incident response and the specialist expertise required to identify, mitigate and remove any threat.

To find out more about cyber insurance, please give me a call or drop me a message via the website. 

Kathryn Brown

Kathryn is responsible for Howden’s cyber offering, working with a number of businesses to manage cyber risk and implement the right risk transfer solutions. Kathryn is an ACII qualified Chartered Insurance Broker - and with over 10 years’ experience in the industry, there isn’t much she hasn’t seen.