• Startup
  • Payroll/Taxes
  • Human Resources
  • Employee Benefits
  • Business Insurance
  • Compliance
  • Marketing
  • Funding
  • Accounting
  • Management
  • Finance
  • Payment Processing
  • Taxes
  • Overtime
  • Outsourcing
  • Time & Attendance
  • Analytics
  • PEO
  • Outsourcing
  • HCM
  • Hiring
  • Onboarding
  • Recruiting
  • Retirement
  • Group Health
  • Individual Insurance
  • Health Care
  • Employment Law
  • Tax Reform

5 Password Policy Tips to Protect Your Business Data


Crafting a password policy for your business is no longer just a good idea. In an age of rampant cyber crime and large-scale data breaches, it's become necessary for small businesses everywhere. And because your employees regularly use passwords for multiple sites and purposes, they could be considered particularly vulnerable to hackers and cyber thieves.

Recognizing that security is often compromised by unintentional mistakes or carelessness, it's critical that employees know how to maintain vigilance and use good judgment with sensitive business data. That's where a comprehensive password policy becomes one of your most effective anti-cyber crime strategies.

Here are five tips for creating and enforcing password policies that help keep your customer and employee data safe from cyber criminals:

1. Educate employees on the use of complex passwords. Simple phrases or, worse yet, a predictable series of numbers ("56789") are easy for hackers to uncover; even slightly more complicated passwords are susceptible to hacking through password-cracking weapons. One tactic is the use of "dictionary attacks," a technique used to breach the security of a password-protected machine or server by systematically entering each word in a dictionary as a password. "Brute forcing" may also be used, which involves generating many consecutive guesses to gain access to a system.

Security professionals recommend at least a 14-16-digit combination that includes some or all of the following:

  • Uppercase letters
  • Lowercase letters
  • Symbols
  • Numbers

The more complex the password, the less frequently it needs to be updated.

2. Avoid password patterns. Having complex passwords isn't enough if they begin to take on an observable pattern. For instance, changing numbers or symbols for the same password can leave you susceptible because as soon as a hacker uncovers such a pattern, it becomes easy to detect similar patterns used elsewhere.

3. Don't base passwords on personal details. Anytime you create a password based on your pet's name, your kid's birthday, or your spouse's middle name, you're risking easy detection by hackers. It’s because much of this personal information is generally included in one's social media profiles and is therefore easily discernible by hackers.

Speaking of social media, encourage employees to avoid using the same passwords on the job as they use on their social networking or other online sites. A breach at one of these online sites could result in the theft of a password that would allow attackers to gain access to an employee’s work account(s).

4. Explore the option of password managers or password tools. Many businesses advocate the use of a password manager or password manager tools that build strong passwords and retain them for use by employees. In addition to storing credentials, most of these tools also offer password generators to easily provide users with a unique range of passwords for consideration.

PCWorld recommends using a password management tool that includes these essential features:

  • Complex, random password generation
  • Two-factor authentication that employs a second method (beyond the password) such as a PIN or fingerprint to minimize risk

"No online security measure is 100 percent foolproof," PCWorld notes, though their experts maintain that by using a password manager, "the benefits far outweigh the risks."

5. Guide employees in what actions to take if a data breach occurs. With the proper training and use of complex passwords, your business is inherently more secure against a cyber attack that depends on compromising employees' passwords. However, if a data breach occurs, your team must be able to take action quickly to minimize damage.

Develop and distribute a comprehensive incident response plan that emphasizes immediately contacting your help desk or IT team in the event of a data breach or the loss/theft of a computing device (even removable media like USB drives). The plan should include a step requiring employees to change their passwords to prevent any further abuse by cyber criminals. Update your team on the newest potential threats and make sure everyone understands the critical importance of maintaining safe and secure practices in their use of company computers and information.

With a high level of awareness and knowledge, there's no reason your employees' passwords should serve as an entry point for cyber attacks.

todd colvin headshot
Todd Colvin is the senior director of data and systems security at Paychex, Inc. He is a business-savvy converged security executive.
This website contains articles posted for informational and educational value. Paychex is not responsible for information contained within any of these materials. Any opinions expressed within materials are not necessarily the opinion of, or supported by, Paychex. The information in these materials should not be considered legal or accounting advice, and it should not substitute for legal, accounting, and other professional advice where the facts and circumstances warrant.