Fraud costs the UK economy £193 billion a year and SMEs are just as vulnerable as large enterprises. Security today relies heavily on passwords, but do you have a password policy, are you vulnerable, can you protect yourself from your own employees?
Firstly be careful about whom you employ. I must assume you check employees right to work in the UK. But do you ask to see original certificates of qualifications or check past employers?
Internet and email policies are needed to remind employees of their password obligations and provide you with the freedom to take action where necessary.
Induction training, if not also periodic refresher training, needs to achieve commitment from employees over passwords. Simply reminding employees of how to create a strong password for their work is a good start.
Current thinking is that passwords should include three unrelated words should be used joined by a special character or number and including a capital. (e.g Heat+soil&mend).
Remember that your IT Manager or provider may be able to over-ride all your passwords so especially careful vetting of that employee or choice of provider is essential.
Check access permissions too – these control who can see what on your company servers. Your IT Manager/provider should be able to help you.
Ask employees who are leaving to let you have their passwords and disable their accounts. Sometimes employees will be unwilling to share their password because they have chosen one that they also use for a variety of personal purposes – even to access their bank accounts. Usually they can re-set their password or you can ask your IT Manager/provider to do it for you.
Current advice is also to use different passwords for every internet purpose and some employees may need to create many. If they use a password manager you may want to insist they use a safe propriety one – your IT Manager/provider should be able to advise.
And the most popular passwords? “1 2 3 4 5 6” followed by “password”. Can I have yours?
Malcolm Martin FCIPD
Author Human Resource Practice