Construction firms know about solid foundations and solid foundations are required within cyber security as well.

Stolen or lost credentials can make a business develop serious cracks, like building on unstable or weak ground.

Just as in the physical world, where keys unlock access to your office building and maybe into secured areas or safes, passwords, in the digital world, have the same purpose, allowing those who have permission to the data they are allowed.

And like the employee who loses their key card and need a replacement, businesses need to have a plan for how they deal with passwords being lost or stolen.

But it’s not as easy as in the physical world.

In the physical world if our keys get stolen and we can’t get into the place we want, it’s obvious, we can’t get in. If our password gets stolen, we still have access everywhere, until a criminal changes that password and locks us out or invites their “friends” to rob the place.

So how do companies know if a password is “lost”?

There are a couple of free services which businesses can sign up for which can give them a heads up if their passwords may have been “misplaced”.

- Haveibeenpwned.com - as well as checking individual emails and telephone numbers against known data breaches, companies can also register their domain names and get notified if they appear in a data breach. This means that you will be able to get the affected password changed, hopefully before a criminal comes knocking.

- NCSC’s Early Warning system – this free service checks data feeds (trusted public, commercial and closed sources) for your domain and IP address, notifying you if anything relevant to your organisation is found.

These should be used as part of your security but you might also want to consider paying a commercial company to actively look for your data on forums, this is commonly known as dark web monitoring. If you are interested in exploring this, some of our Trusted Partners offer this as a service and would be happy to speak to you about it. Contact us today and we can put you in touch.

What else should you be doing?

- Implement 2FA wherever available. That way even if a password is lost, hopefully no one can just use that information. Criminals are now phishing for these credentials as well, so you still need to make it difficult for them to get a password in the first place.

- Staff awareness training – if you teach your staff to protect themselves, they will also be better prepared to protect your business. And it’s not only about that phishing email, what about the physical security of the business? Could someone drop a USB or even send you a USB loaded with malware? Weak, reused passwords are a massive risk to a business but luckily are easy to fix, especially if you give your staff access to password managers.

- Join the ECRC - our free business community provides a “little steps” email series designed to introduce you to the key concepts of cyber resilience along with practical implementation. We also provide guidance to free tools and access to our affordable services when you are ready to move past the fundamentals.

Policing led - Business focused