Poor Password Management Culture Puts Australian SMEs At Risk

The fight against COVID-19 has led many of us indoors. As a result, companies across Australia are allowing employees to work from home to stay in line with isolation guidelines. More than half (57%) of Australian SMEs are now operating with a distributed workforce. Additionally, 41% are buying the necessary tools to operate remotely. 

Yet, while small and mid-sized companies (SMEs) are taking the necessary steps to ensure business continuity, Capterra’s research* indicates that cybersecurity processes have been less efficient.

The study pointed to three areas that need improvement, including:

• Password storage: The majority of SME employees rely on human memory to store account logins and passwords, (only a third make use of password managers.)
• Password strength: More than a quarter of respondents use an identical password for all accounts.
• Cybersecurity culture: SME employees often share passwords with colleagues, and between personal and business accounts.

Password management systems are inefficient

An encouraging number of employees (41%) changed their password within the last month. Despite this, SMEs are demonstrating lax password security practices. 

Writing down passwords on paper is inefficient and unsafe.  If misplaced, it can expose sensitive company information to untrustworthy third-parties. It is also an unsustainable password storage method.

The most common form of password storage, however, is human memory. The survey indicated that 72% of respondents use software and platforms in the cloud (partially or completely). This suggests that the number of access credentials that an employee has is considerable.

Expecting employees to remember strong, unique passwords for all of these accounts is unrealistic. However, only a third of employees make use of password management software. 

How to improve password management 

A password management tool is a safe way for businesses to store credentials. It’s important to find a platform that employees can easily adapt to—otherwise, they may well abandon it. By taking advantage of free trials, you’ll be able to identify a tool that suits your business best. 

Many password managers offer a free version, and the monthly cost to upgrade can be as little as a few dollars per employee.

Password sharing is common practice within SMEs

Worryingly, 44% of respondents said they share passwords between personal and business accounts. This, combined with the fact that 68% of workers use personal devices (even occasionally) to carry out work, puts businesses at greater risk of exposure should one account be compromised. 

Of those respondents who use personal devices:

• 40% installed antivirus software
• 24% installed email security software
• 27% installed a firewall.

Devices without security software installed leaves the user vulnerable to cybercriminals. The same applies to a business account that shares identical credentials with an employee’s personal account. If that account is hacked, the business account is vulnerable too.

Another area of concern was the lax approach within SMEs toward sharing passwords between peers (which 18% admitted to.) While this may seem risk-free, this action opens up the possibility of internal risks, such as the case of data theft by a disgruntled employee. 

How to share passwords securely

In some cases, employees will need to share passwords. There are three methods to communicate passwords securely:

1. Verbally, ideally in person.
2. Use encrypted emails to write the information, often included with email security tools.
3. Share them in a password vault, included in many password management systems. 

Password strength isn’t prioritised

If a hacker gets hold of one set of credentials, they’ll likely try using these details to access other business and personal accounts. It’s therefore advised that businesses should create a strong and unique password for every account they own. 

Encouragingly, a third of respondents said they follow this advice. However, 28% of respondents use an identical password for all accounts and 39% use a few main passwords or one password that is slightly adapted, across multiple sites.

How to strengthen passwords

A hard-to-crack password is a simple yet effective means to strengthen the security of any online account. This includes:

• At least eight to sixteen characters
• A combination of capital and lowercase letters
• Special characters
• Numbers.

Educating staff on what a strong password looks like is a great way to encourage remote workplace security. However, most password managers include a secure password generator feature, which helps take the pressure off of staff.

Phishing email attacks remain a challenge

Phishing emails are one of the most common methods that cybercriminals use to obtain valuable data from a target. It consists of sending an email (that appears to be from another person or company) to the recipient, in a bid to get them to reveal private information. Usually, they’ll aim to obtain a password, bank details, or confidential details of the organisation.

The majority of the respondents said they had not been victims of such an attack. However, more than a quarter of respondents have fallen victim to a phishing email. Of those cases, 14% said the attack took place since working remotely due to the pandemic. Shockingly, 48% said they were misled by a topic related to COVID-19.

As widely reported in the media, hackers are taking advantage of the pandemic by using it as an angle to infiltrate corporate networks. Using coronavirus-related false pretences, hackers are convincing people to open malicious emails. 

How to protect against phishing emails

Training employees to recognise phishing emails should be an obligation for SMEs. It is one of the most common forms of cyberattack yet disguises itself in many ways. A security breach can cause irreversible damage to an SME; it can destroy its reputation and lead to bankruptcy.

Employees are the best line of defence for SMEs. To ramp up security efforts, companies should ensure their staff:

• Make use of email security software.
• Conduct cybersecurity training to educate them on recognising malicious emails.
• Know who to contact in the case of an emergency. Our previous research highlighted that 62% of SME employees don’t know this, particularly junior staff.

Australian SMEs must increase cybersafety measures

Cybercriminals are always waiting for people (and companies) to make a mistake. Sadly, coronavirus has given them more opportunities rather than slowing them down. This is mostly due to teleworkers not taking adequate steps to secure their work environment. 

Even with a distributed workforce, employers must establish cybersecurity guidelines. It’s also good practice that companies have at least one cybersecurity point of contact. This person should be responsible for the implementation of protocols, secure business software. They should also be the champion of driving a cybersafety-first culture. 

Virtual cybersecurity training sessions work well for educating remote employees. Try creating a live webinar whereby employees can learn, take notes and ask questions. 

*Survey methodology

To collect the data from this report, we conducted an online survey between 4th April 2020 and 14th April 2020. The responses come from a sample of the Australian market. Of the 916 people who participated in the survey, we were able to discover that 57% of Australian SMEs are already operating fully remotely. We also discovered that 6% plan to. 

We then screened out all respondents not working remotely, and found 500 respondents fitted within our criteria:

• Australian resident
• Employed by a small or mid-sized business
• Employed full-time or part-time
• Working remotely as a response to COVID-19.

The participants come from various business sectors and levels of seniority.

Note: Infographics 1 had multiple response options, so the total sum of the percentages exceeds 100%.