How US, UK SMBs keep company passwords safe

AVG’s Business division has asked 381 of their small-to-medium business customers in the US and UK sixteen questions about their password-protection policies and practices.

The replies they received allowed them to paint a general picture of how SMBs address (or not) the issue of password security.

Survey results

72 percent of the respondents said they believe their passwords are safe (i.e. not accessible by unauthorized personnel). But, interestingly enough, only 22 percent of the businesses use password management software.

A third of respondents believe their company’s passwords could be more secure (i.e. longer and more complex), but only 19% say that their business uses an automated password generator, which could help with that.

But all of this should not come as a shock, as many small businesses don’t have a dedicated IT staff member that would (hopefully) consider information security important. In one-third of the polled businesses, the owner, president, or MD is responsible for managing company passwords:

Who is responsible for managing company passwords?

Password reuse is substantial – four out of ten people use the same passwords for different business log-ins. 50% of people use between 1 and 10 passwords to access different networks, software, and accounts.

43% of the respondents with access to company passwords don’t have a clause in their contract to keep these passwords confidential.

Maybe that’s partly why 55% of the employees don’t thing twice about saving all or some of their passwords through their web browser – a definite security no-no.

Also, 16% of non-employees (contractors, freelancers, temps) can access company passwords, and they are not as nearly committed to the company as employees. That is, plain and simple, asking for trouble. AVG advises the use of temporary log-ins for these categories of people.

Finally, as a wild card question, the pollees where asked whether they have heard of the term “ransomware.” 32 percent of them didn’t, but also 36 percent of those who did actually don’t known what it is.

Given that many ransomware peddlers have begun targeting businesses, this last result should be extremely worrying.

In general, cybercriminals like targeting SMBs. There are several reasons for their preference, but two are the most important ones: low level of security, and they often serve as stepping stones to bigger targets.

Owners, managers and employees often believe their company is too small to matter to criminals, but they are wrong.

“In the UK, the latest [Information] Security Breaches Survey found that nearly three quarters (74%) of small businesses reported a security breach in the last year, an increase from both 2013 and 2014,” AVG pointed out. “And the cost of each breach was £75,000-310,800, with 31% being staff-related.”