Passwordless is coming, but until then, passwords are a key component in protecting business assets, but unfortunately, logistics firms don’t seem to be keeping up to date with best practice.

Last year NordPass carried out research into the use of passwords within industry sectors among fortune 500 companies.

They found that logistics firm's unique password percentile was just 28%, with 429331 of those passwords being used found within data breach information. With password reuse a way that criminals can just log into company systems this is a massive warning sign for firm's system security.

These were the top ten passwords being used by logistics firms (replace company name with employees firm’s company name).

1. Company name
2. Password
3. 123456
4. Aaron431
5. Company name01
6. Company name123
7. Xxx company name
8. Linkedin
9. Company name1234
10. Company name1

So what?

Cyber criminals don't need to break in, they can just log in using the details they find online about your staff and trying the list above.

Do your staff log in to the system using their email address?

Are they on LinkedIn where they might share their work email address and the company they work for?

It might be even easier and their details can be found in a data breach.

What makes a good password?

Passwords should be:

• Complex – a mixture of upper, lower case, numbers and special characters of at least 15 characters in length
• Unique – not reused across different sites/systems and not easily guessable such as “Company name01”

That seems hard to remember

You can generate a strong password using three random words. Look around the room, pick three things out and then combine them with numbers – Curtains2Monitors3&Shelves8.

Most people now have between 60-90 passwords so having unique passwords is a challenge, so consider a password manager. You can get enterprise password managers which means staff can securely share passwords or notes when required.

What should my firm be doing?

• See what passwords you and your staff have which are already known. Why not run a poll to see who has the most/least breaches? Haveibeenpwned.com is a website where you can enter your email address and telephone number and see if your information has been captured in a data breach. As a business owner you can also register your domain and get notified when your domain pops up in another breach.
• Have a clear password policy for staff and tell them why having strong, unique passwords are essential. If you need some help with this, our affordable student services offer security awareness training. Why don’t you make a booking to discuss further?
• Enable Two Factor Authorisation wherever you can, but especially on your emails and social media accounts. Even with the best passwords, once someone knows that password then the system is not secure. With 2FA, even if the password and username are known, the criminal won’t have access to the second verification factor so they shouldn’t be able to just “log in”.
• If your staff have a lot of passwords to remember, consider getting an enterprise password manager so they only have to remember one and the password manager generates and remembers the rest – goodbye reused passwords.

Further guidance & support

The Eastern Cyber Resilience Centre is a not-for-profit organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.

You can join our business community for free and get:

• Threat alerts both regionally and nationally
• Signposting to free tools and resources from both Policing and the NCSC
• Little steps programme – series of weekly emails which aligns to cyber essentials looking at bite-sized practical information to build cyber resilience
• Discussion area to meet and discuss other companies in the region and our partners

Contact us to find out more.

Policing led – business focussed.