Poor Password Management Culture Puts Australian SMEs At Risk

Published on 30/04/2020 by Anna Hammond

The fight against COVID-19 has led many of us indoors. As a result, companies across Australia are allowing employees to work from home to stay in line with isolation guidelines. More than half (57%) of Australian SMEs are now operating with a distributed workforce. Additionally, 41% are buying the necessary tools to operate remotely

Poor password management within Australian SMEs

Yet, while small and mid-sized companies (SMEs) are taking the necessary steps to ensure business continuity, Capterra’s research* indicates that cybersecurity processes have been less efficient.

The study pointed to three areas that need improvement, including:

  • Password storage: The majority of SME employees rely on human memory to store account logins and passwords, (only a third make use of password managers.)
  • Password strength: More than a quarter of respondents use an identical password for all accounts.
  • Cybersecurity culture: SME employees often share passwords with colleagues, and between personal and business accounts.

Password management systems are inefficient

An encouraging number of employees (41%) changed their password within the last month. Despite this, SMEs are demonstrating lax password security practices. 

Most popular password management methods Australia
Infographic 1: Most popular password management methods in Australian SMEs.

Writing down passwords on paper is inefficient and unsafe.  If misplaced, it can expose sensitive company information to untrustworthy third-parties. It is also an unsustainable password storage method.

The most common form of password storage, however, is human memory. The survey indicated that 72% of respondents use software and platforms in the cloud (partially or completely). This suggests that the number of access credentials that an employee has is considerable.

Expecting employees to remember strong, unique passwords for all of these accounts is unrealistic. However, only a third of employees make use of password management software

What is a password manager? A password manager is a software tool that enables users to synchronise passwords across several accounts. The tool saves and stores multiple passwords within a central vault, and users can activate them using a master password. 

How to improve password management 

A password management tool is a safe way for businesses to store credentials. It’s important to find a platform that employees can easily adapt to—otherwise, they may well abandon it. By taking advantage of free trials, you’ll be able to identify a tool that suits your business best. 

Many password managers offer a free version, and the monthly cost to upgrade can be as little as a few dollars per employee.

Password sharing is common practice within SMEs

Worryingly, 44% of respondents said they share passwords between personal and business accounts. This, combined with the fact that 68% of workers use personal devices (even occasionally) to carry out work, puts businesses at greater risk of exposure should one account be compromised. 

Of those respondents who use personal devices:

  • 40% installed antivirus software
  • 24% installed email security software
  • 27% installed a firewall.

Devices without security software installed leaves the user vulnerable to cybercriminals. The same applies to a business account that shares identical credentials with an employee’s personal account. If that account is hacked, the business account is vulnerable too.

Another area of concern was the lax approach within SMEs toward sharing passwords between peers (which 18% admitted to.) While this may seem risk-free, this action opens up the possibility of internal risks, such as the case of data theft by a disgruntled employee. 

How to share passwords securely

In some cases, employees will need to share passwords. There are three methods to communicate passwords securely:

  1. Verbally, ideally in person.
  2. Use encrypted emails to write the information, often included with email security tools.
  3. Share them in a password vault, included in many password management systems

Password strength isn’t prioritised

If a hacker gets hold of one set of credentials, they’ll likely try using these details to access other business and personal accounts. It’s therefore advised that businesses should create a strong and unique password for every account they own. 

Encouragingly, a third of respondents said they follow this advice. However, 28% of respondents use an identical password for all accounts and 39% use a few main passwords or one password that is slightly adapted, across multiple sites.

How to strengthen passwords

A hard-to-crack password is a simple yet effective means to strengthen the security of any online account. This includes:

  • At least eight to sixteen characters
  • A combination of capital and lowercase letters
  • Special characters
  • Numbers.

Educating staff on what a strong password looks like is a great way to encourage remote workplace security. However, most password managers include a secure password generator feature, which helps take the pressure off of staff.

Phishing email attacks remain a challenge

Phishing emails are one of the most common methods that cybercriminals use to obtain valuable data from a target. It consists of sending an email (that appears to be from another person or company) to the recipient, in a bid to get them to reveal private information. Usually, they’ll aim to obtain a password, bank details, or confidential details of the organisation.

Phishing attack cases in Australia
Infographic 2: Phishing attack cases in Australian SMEs.

The majority of the respondents said they had not been victims of such an attack. However, more than a quarter of respondents have fallen victim to a phishing email. Of those cases, 14% said the attack took place since working remotely due to the pandemic. Shockingly, 48% said they were misled by a topic related to COVID-19.

As widely reported in the media, hackers are taking advantage of the pandemic by using it as an angle to infiltrate corporate networks. Using coronavirus-related false pretences, hackers are convincing people to open malicious emails. 

How to protect against phishing emails

Training employees to recognise phishing emails should be an obligation for SMEs. It is one of the most common forms of cyberattack yet disguises itself in many ways. A security breach can cause irreversible damage to an SME; it can destroy its reputation and lead to bankruptcy.

Employees are the best line of defence for SMEs. To ramp up security efforts, companies should ensure their staff:

Australian SMEs must increase cybersafety measures

Cybercriminals are always waiting for people (and companies) to make a mistake. Sadly, coronavirus has given them more opportunities rather than slowing them down. This is mostly due to teleworkers not taking adequate steps to secure their work environment. 

Even with a distributed workforce, employers must establish cybersecurity guidelines. It’s also good practice that companies have at least one cybersecurity point of contact. This person should be responsible for the implementation of protocols, secure business software. They should also be the champion of driving a cybersafety-first culture. 

Virtual cybersecurity training sessions work well for educating remote employees. Try creating a live webinar whereby employees can learn, take notes and ask questions. 

Ready to run your first cybersafety session? Check out Capterra’s directory of the highest-rated webinar software today.

*Survey methodology

To collect the data from this report, we conducted an online survey between 4th April 2020 and 14th April 2020. The responses come from a sample of the Australian market. Of the 916 people who participated in the survey, we were able to discover that 57% of Australian SMEs are already operating fully remotely. We also discovered that 6% plan to. 

We then screened out all respondents not working remotely, and found 500 respondents fitted within our criteria:

  • Australian resident
  • Employed by a small or mid-sized business
  • Employed full-time or part-time
  • Working remotely as a response to COVID-19.

The participants come from various business sectors and levels of seniority.

Note: Infographics 1 had multiple response options, so the total sum of the percentages exceeds 100%.

This article may refer to products, programs or services that are not available in your country, or that may be restricted under the laws or regulations of your country. We suggest that you consult the software provider directly for information regarding product availability and compliance with local laws.


Get the latest software and technology news from Australia

Thank you for signing up!

You will receive a welcome email shortly.

We couldn't subscribe you. An error occurred, please try again later.

Follow Us