Password Policies – A Protective Layer for your Business

Password Policies – A Protective Layer for your Business

Businesses of all sizes are common targets for cyber-attacks, and the damage can range from temporary inconvenience to financial devastation. Many small enterprises, in fact, have been forced to close within several months after a data breach cost them their private information and/or a lot of cash.

There are multiple types of attacks, including password hacking, phishing, malware, and ransomware. Most businesses will be targeted at one time or another, and a large number of applications a typical business uses, combined with a large number of people now working from home, can make it difficult to batten down the data hatches. But it can be done!

Here are a few simple guidelines to make it more difficult for bad actors to break in.

Let’s begin with creating a password policy. It’s important that you implement one that you enforce it. Here’s what we suggest:

  • Require every password to have at least 12 characters that are a mix of numbers, capital and lower-case letters, and symbols. Password phrases are best! (Example: MyC@r!sAmazing)


  • Require passwords to be changed at least once a year. Don’t allow the use of previous passwords.


  • Use password manager applications. There are many good options on the market. Allow your staff to store all those passwords in one place, online, and not on a sticky note on their desks.


  • Regularly remind your employees that personnel will never request their password by phone, text, or email. That’s how phishing succeeds.


  • Regularly remind your employees to avoid clicking on links in any text or email that’s from an email or number they don’t recognize. Remind them to look closely and twice: cyberthieves often use email addresses and phone numbers that resemble that of senior managers or close colleagues.


  • Use multi-factor authentication (MFA) software. This requires a second authentication measure beyond simply a password. That can be a challenging question the user must answer or a code that’s sent to the user’s mobile phone. Like password managers, there are multiple options available that are relatively inexpensive and highly effective.


  • Speaking of the user’s mobile phone, your password policy also should spell out what devices are included, including any private phones, laptops, and/or tablets used for company work.

Cybercriminals constantly change their tactics and they’re not going to stop trying. Simple password and dual authentication measures that are strictly followed and enforced can go a long way toward keeping these threats at bay.

To learn more about cybersecurity for your business, contact us at, or call 800.299.1704.

Get a free assessment

Your custom cybersecurity check up identifies where you’re secure, and where you’re not. Fill out the information below to schedule a FREE network and cybersecurity consultation with one of our local IT Business Consultants. There are no obligations, and you will walk away with information on how you compare to today’s IT and cybersecurity best practices.