Client Pay Portal

Why Poor Password Practices are Costly

How poor password practices can cost businesses millions and what to include in your password policy.

Why take password security seriously

Poor password practices cost businesses big bucks every year. An estimated 81% of data breaches are caused by poor or reused passwords, and in 2022, the average cost of a data breach for organizations in the U.S. was $9.44 million ($2.98 million for small businesses specifically).

“If you’re not taking password protection seriously, you’re leaving your business completely exposed,” says Jason Monroe, Solution Consultant at Bit-Wizards. “If you are breached, we could be talking days of not being able to access your stuff, and all the while, the hacker is getting in and seeing your financials, your bank accounts, your routing account numbers, all that. They might be able to access all that data just because one bad password allowed them into your network.”

Stolen or compromised login credentials have already led to several high-profile data breaches in 2023, impacting businesses like PayPal, MailChimp, Reddit, Activision, and others.

“Some of these data breaches are costing larger companies millions and millions of dollars,” says Monroe. “All that data and free credit monitoring they then have to send out isn’t cheap. On top of that, their reputations are hurt, they may have to pay fines, and they may even get sued. And it’s no different for small businesses.”


Password security tips for businesses

The most common mistake Monroe says businesses make with password security is not having a password policy in place.

“Having set requirements for handling passwords company-wide is extremely important,” he says. “That’s the most reliable way to handle password management and ensure everyone in the business is following best practices.”

Here are five password best practices to include in your policy:

#1: Require complexity

Many people avoid using complicated passwords because they can be difficult to remember. However, password complexity is a huge factor in keeping your credentials safe. Some keys to creating a strong password include:

  • Using a mixture of upper and lowercase letters, numbers, and symbols.
  • Using at least seven characters (the longer the better).
  • Using passphrases instead of passwords.

As part of the password policy, business owners should require employees to create complex passwords for important technology, software, sites, etc.


#2: Change passwords regularly

Cybersecurity experts recommend changing important passwords every three months. You should also change your password if:

  1. Your account was hacked.
  2. You’re impacted by a data breach in any way.
  3. You used an unsecure network.
  4. You discovered malware.
  5. People were removed from an account (especially if someone was fired or left the company).
  6. You no longer use an account.

Regularly updating passwords should be a company-wide practice, helping keep your important data secure.

#3: Avoid redundancy

It can be tempting to reuse the same passwords for the sake of convenience, but this is a very risky practice. Reusing the same password makes it much more likely that your account will be compromised at some point.

Despite the fact that 91% of people say they know reusing the same password or a variation of it is risky, 66% of them still do it at least some of the time, if not all the time. This is why it’s crucial for businesses to have guidelines for redundancy outlined in their password policies.

#4: Get a password manager

While the three previous tips may seem intuitive, often times, they’re not carried out. This is because it can be very difficult to remember complex, unique passwords that change every few months, especially since the average person is managing 100 passwords.

A password manager is a software application designed to store and manage online credentials, making it far easier to create strong passwords for each and every login you need. These services are not only made to keep your passwords secure, but help you generate strong passwords too. 

#5: Use multifactor authentication

Multifactor authentication (MFA) is a security technology that requires multiple methods of authentication from independent categories of credentials to verify a user’s identity for a login or other transaction. MFA creates a layered defense, making it more difficult for a bad actor to gain access to your technology, network, or database.

The use of multifactor authentication will make it so that a potential hacker needs more than an employee’s password to breach their account. Often times, it can be set up as a text message or through an application on your phone.


How a managed service provider (MSP) can help

“An MSP is going to assist you with getting your policies in place,” says Monroe. “We’re going to help you enforce complex passwords and ensure that they’re updated regularly across the board. We’ll also help you enforce multifactor authentication.”

Monroe says an MSP will not only help implement these best practices, taking some of the stress off your business, but help handle any fallout as well.

“We’re going to be able to remedy any issues that come up very quickly,” he says. “If someone just gets lucky and breaks your password, we’re going to be able to lock them out of your system, prevent them from opening anything they’ve downloaded, prevent any malware they were able to add or install while they were in your system, and recover your data if they tried to delete anything.”

Monroe says managed services providers like Bit-Wizards are proactive, meaning this kind of fallout isn’t likely.

“At Bit-Wizards, our engineers are forward thinking,” he explains. “We’re constantly looking for pitfalls that could potentially lead to a problem. So, we’re not reactive, meaning we’re not just sitting around waiting to fix something after it goes wrong. We’re looking for anything that might be out of place upfront so we can fix the issue before any fallout occurs.”

Monroe says we also include the paid version of LastPass with our Managed IT Services.

“We already have a password manager ready to implement for you, so that’s going to save you time and money,” says Monroe. “Overall, we want to handle IT for you, so you can focus on your business. That’s our goal in everything we do for our clients.”

Ready to stop wasting money on bad IT and get started with our Managed IT Services? Click here.


Simone Hines, Content Team Lead
Simone E. Hines

Content Team Lead