Locking the front door: passwords and access

Password managers, multi-factor authentication, the principle of least privilege, and the leaver checklist. The single highest-value hour you will spend on cyber security all year.

_Part 4 of 12 in the Cyber security for the small business series._

If there is one chapter in this series that delivers the most value for the least effort, it is this one. Password and access management is the single most impactful thing you can do to protect your business, and most of it costs nothing.

The problem with passwords

Passwords are the keys to your digital life, and most of us are terrible at managing them. We use the same password across multiple sites. We choose passwords that are easy to remember and therefore easy to guess. We write them on sticky notes attached to monitors. We share them with colleagues when it seems convenient.

Each of these habits is entirely understandable. Passwords are a nuisance, and we have been trained by decades of bad advice to create passwords that are hard for humans to remember but easy for computers to crack. A password like P@55w0rd! feels secure because it is hard to type, but an automated cracking tool would break it in minutes.

What actually makes a good password

Length beats complexity. The NCSC's official guidance is to use three random words. A password like correct horse battery staple is dramatically harder to crack than P@55w0rd!, whilst being much easier to remember. Three or four random words, ideally with some numbers or punctuation mixed in, create passwords that are both strong and memorable.

But the best strategy for a business is not to rely on human memory at all. This is where password managers come in.

Password managers: your new best friend

A password manager is a secure application that stores all your passwords in an encrypted vault, protected by a single master password. It generates strong, unique passwords for every account, remembers them all, and fills them in automatically when you log in.

You only need to remember one strong password — the master password for the vault. Every other password can be long, random, and unique. If one service is breached, no other account is affected because no two accounts share a password.

Reputable password managers for business use include Bitwarden, 1Password, and Dashlane. All three offer business plans that let you manage your team's passwords centrally, share credentials securely for shared accounts, and revoke access when someone leaves the firm. Bitwarden has a free tier that is genuinely usable.

If your team uses a password manager from this month and nothing else from this series, you will be more secure than 80% of firms your size.

Multi-factor authentication

Multi-factor authentication — sometimes called two-factor authentication or 2FA — adds a second verification step when you log in. After entering your password, you also need to provide something else: typically a code from an app on your phone, a code sent by text message, or a physical security key.

The principle is straightforward. Even if an attacker steals your password, they still cannot access your account without the second factor. It is the digital equivalent of a lock that requires both a key and a code.

MFA is available on virtually all business-critical services: email (Microsoft 365, Google Workspace), banking, cloud storage, accounting software, and social media. Enabling it is usually a matter of changing a setting and scanning a QR code with an authenticator app.

Prioritise MFA on these accounts first: email, banking and financial services, cloud storage, any system containing customer data, and social media used for business.

Authenticator apps (such as Microsoft Authenticator, Google Authenticator, or Authy) are more secure than text message codes, as SMS can be intercepted or redirected through SIM-swap fraud. If your service supports an app, use the app. If you want the next level up, hardware keys like the YubiKey are the most secure option and cost about £40 per user as a one-off.

The principle of least privilege

This is a simple concept with a grand name. It means that every person in your business should have access only to the systems, data, and functions they need to do their job, and nothing more. The receptionist does not need access to the accounting system. The sales team does not need administrator rights on the company website. The intern does not need access to the HR files.

This is not about trust. It is about limiting the damage if any single account is compromised. If an attacker gains access to an account with limited permissions, the harm they can do is limited. If they gain access to an administrator account, they have the keys to the kingdom.

In practical terms:

Review who has access to what at least annually. Pin it to the same week each year so it actually happens.

Remove access promptly when someone changes role or leaves.

Avoid shared generic accounts wherever possible. A shared admin@yourbusiness.co.uk mailbox is convenient and a security disaster.

Use administrator accounts only for administration, not for day-to-day email and web browsing. Standard user accounts should be the default.

What to do when someone leaves

When an employee or contractor leaves your business, their access should be revoked on their last day, ideally within hours of their departure. This includes email, cloud storage, accounting systems, social media accounts, VPN access, physical access (keys, fobs, alarm codes), and any shared passwords they knew.

This is not about suspicion. It is about hygiene. An unused account is an unlocked door that nobody is watching.

A short leaver checklist, printed and used at every departure, is one of the highest-leverage documents in a small business. It does not need to be long. It needs to be remembered.

What April looks like

If you do one thing from this series, do this. Pick a password manager. Install it on your own machine. Move your most important business accounts into it this week, generating new long random passwords for each. Enable MFA on every account that supports it, starting with email and banking.

Next month: email and phishing. The other front door, and the one most attacks come through.

Cyber Essentials note

The work this month covers Cyber Essentials control 3, User Access Control. By the end of April, with the actions above in place, you have most of one of the five controls completed.