Locking Down Your Business: Passwords and Beyond

One weak password could cost your company thousands.

Over half of UK SME employees (52%) have never received cyber security training, and far too many are still using passwords like 'CompanyName2025!'. It's time to change that.

Passwords remain the first line of defence in business security - and also one of the weakest. In Week 3 of Apex's Cyber Security Awareness Month, we're taking a closer look at how SMEs across Greater Manchester can drastically reduce risk by tightening up password habits and enabling modern authentication.

Weak Passwords Are Still the #1 Access Point for Hackers

Most cyber breaches don't start with Hollywood-style hacking. They start with an email or a stolen credential.

• 81% of hacking-related breaches involve stolen or weak passwords
• 59% of people reuse passwords across work and personal accounts
• Criminals often buy stolen password databases on the dark web for pennies

"You'd be surprised how many staff at SMEs still use passwords like 'Password123!' or 'Summer2024', especially under time pressure. We once onboarded a 40-user account where half the team had variations of the company name as their login. Easy pickings for a brute attack."

If your team uses the same login for email, payroll, Microsoft 365 and Teams - you're at serious risk.

Case in Point: A Manchester Firm's Close Call

Recently, a locally-based accountancy firm reached out after an employee's password was compromised. A cyber criminal used stolen Office 365 credentials (from a previous data breach) to log in and sit silently in their inbox for days.

The attacker watched conversations, then jumped in pretending to be the employee - emailing a client to "update payment details". The client paid a £6,000 invoice to the scammer before realising it wasn't legitimate.

The password was one that was being used across multiple platforms. Had Multi-Factor Authentication (MFA) been enabled, the breach could've been prevented entirely.

5 Ways to Upgrade Your Password Practices Now

If your business still relies on "strong passwords" alone, you're missing a crucial part of modern protection. Here's what Apex recommends:

1. Use Passphrases, Not Passwords

Encourage your team to use memorable phrases instead of single words. 'BlueCoffeeRocket2025@' is stronger than 'Manchester1!'.

2. Enable MFA Everywhere

Multi-Factor Authentication (MFA) adds a second layer of security. Even if a password is stolen, it's useless without the MFA code. Apply MFA on:

• Microsoft 365
• Remote desktop/VPN access
• CRM and accounting systems
• Email accounts

3. Introduce a Password Manager

Avoid sticky notes and spreadsheets. A secure password manager like Keeper (that's what we use here at Apex) or 1Password generates and stores long, ransom credentials that staff never have to remember.

"We've been using Keeper password manager for a while at Apex and the security we have with passwords speaks for itself. We've also recommended it to a number of our clients and have seen password reuse incidents drop to almost zero. It only takes 5 minutes to set up, and saves businesses thousands in risk."

4. Set Minimum Standards for Passwords

• Minimum 12 characters 
• Mix of upper and lower case letters, numbers and symbols
• No company names, birthdays, or pet names

Use group policies (especially in Microsoft 365) to enforce strong password creation across all users.

5. Regularly Review Compromised Passwords

Check if any work email accounts or passwords have been exposed on the dark web. Apex can provide Dark Web Monitoring and run these kinds of reports for your domains, alerting you to compromised credentials in real time.

Beyond Passwords: Full Identity Protection

Your passwords are just one part of a wider access control strategy. Here's what Apex helps Greater Manchester businesses implement:

• Conditional Access Policies: Only allow logins from trusted devices or locations. Block access from high-risk countries or IPs.
• Single Sign-On (SSO): Consolidate multiple logins into one secure portal (e.g. Microsoft Entra ID), reducing password fatigue and human error.
• Account Lockout Policies: Prevent brute force attacks by auto-locking accounts after a set number of failed attempts.
• Access Reviews and User Audits: Ensure ex-employees and dormant accounts are removed or disabled. Many breaches occur via unused or forgotten logins.
• Privileged Access Management: Admins and finance users need stricter access controls. Don't let everyone have full control in every system.

Think You're Already Covered? Ask Yourself:

• Are all your staff using unique passwords for every platform?
• Do you know who in your business has admin-level access and for what?
• Is MFA enforced on every critical app or just "recommended"?
• When was the last time you ran a user access audit?
• Are you alerted if a staff email or password appears in a data breach?

If you answered "No" or "I'm not sure" to any of the above - let's talk.

How Apex Helps

Apex offers tailored identity security solutions designed for SMEs in Greater Manchester just like you. We'll help you:

• Deploy a password manager across your organisation
• Enforce MFA and conditional access in Microsoft 365
• Secure user accounts with intelligent detection and lockdown policies
• Provide security awareness training to reduce risky behaviour
• Support real-world phishing simulations to test response under pressure

Final Word: Don't Leave the Front Door Open

Passwords are the digital keys to your business - don't leave them under the mat.

Start by making MFA a non-negotiable across your company. It's simple, cost-effective, and stops over 99% of account takeover attempts. Pair that with smart policies and password manager rollouts, and you'll be miles ahead of the average SME.

Want to Assess Your Password Policies?

Book a free consultation with our team and get a quick health check on your current setup.

Up Next in Cyber Security Awareness Month

We dive into securing hybrid and remote working setups - from home routers to personal devices.

Stay safe, stay updated, and stay on top of the basics.