The Password Paradox and Its Impact on UK Businesses
For decades, technology leaders have been predicting that passwords for authentication would soon be a thing of the past. In the late 1990s, Sun Microsystems co-founder Scott McNealy said they were inefficient, easily compromised, and on their way to being replaced by futuristic technologies like biometrics. At a 2004 conference, Bill Gates, for similar reasons, said their demise was imminent. So did former Google CEO Eric Schmidt in 2011, pointing to the potential of the new ubiquitous smartphone as a more secure and convenient way for people to verify their identities.
It’s 2024 now, and the password still reigns supreme. Sure, Face ID, fingerprint scanners, and two-factor authentication have become ubiquitous, but passwords aren’t just here to stay—they’re proliferating throughout our digital lives. Even as we continue to embrace a slew of smart devices and online services, the number of passwords we manage has skyrocketed in recent years. A recent study found that the average person uses passwords for 168 accounts, from social media to banking, with an average of 87 passwords for work accounts.
The fundamental problem with passwords is that they are often too easy to guess or too difficult to remember. Compared to biometrics and more advanced methods, they are vulnerable to security breaches and are inconvenient as a sole authentication method. Their staying power, however, can be attributed to their simplicity and widespread adoption.
In general, passwords can still be effective, as long as they are complex enough and not reused across multiple sites. The UK government has taken steps to address this by passing legislation banning the use of universal default passwords for smart devices. Parallel recommendations from the National Cyber Security Centre (NCSC) encourage stronger passwords and encourage changing them regularly.
Businesses have generally not been as proactive. Looking at UK government data collected over the last eight years, we see a precarious situation for commercial password security, and the financial implications could be severe.
The author of Payset focused on technology, economics and the relationships between them.
Too many UK businesses are neglecting password security
Despite the rapid evolution of cybersecurity technologies, government data from the last eight years shows that almost three in 10 UK businesses continue to treat password security with worrying levels of neglect. This complacency poses risks not just to the businesses themselves, but also to their customers and the wider digital ecosystem.
Year after year, government surveys show a consistent picture: while some companies are guarding against cyberattacks, too many are lax in enforcing strong password policies.
In 2017, 31% of organizations reported having no formal password policy. This number has fluctuated slightly in subsequent years, dropping to a low of 19% in 2020, but creeping back up to 28% in 2024. On average, 27% of UK businesses have failed to enforce critical password security measures over these eight years.
These statistics reflect a wider trend of inconsistency and underestimation of cybersecurity threats among UK businesses. Weak password policies can easily lead to serious consequences and the economic impact is significant. For businesses without adequate protection, the price of an attack can be not just immediate financial losses, but also long-term damage, such as legal repercussions and loss of consumer confidence.
The most disruptive cyberattacks can lead to operational paralysis and significant financial loss. UK government data from 2024 shows that the direct cost of these incidents, ranging from specialist intervention to legal costs, averages £10,830. When the wider impact, such as loss of data and assets, is considered, these costs can rise to as much as £40,400 per incident. With 41% of businesses reporting that they had experienced some form of cybersecurity breach annually in the past eight years, the cumulative economic burden is significant.
The cyber threats facing UK businesses
UK businesses face a range of cyber threats that can jeopardise their operations and integrity. Here are the main types:
Phishing attacks: The most common threat, affecting 80% of reported cases, involves deceptive emails or messages designed to steal sensitive information such as login credentials and financial data.
Imitation and fraud: Attackers often pose as legitimate companies or contacts to gain trust and then steal important information, affecting approximately 29% of companies.
Malware: Malware, including viruses and spyware, is installed without your knowledge to damage systems or steal data. 18% of businesses are affected by this each year.
Ransomware: This type of attack, which affects 9% of companies, involves hijacking a company’s data or systems and demanding payment for their release.
Hacking online accounts: Direct attacks on business accounts, especially bank accounts, also pose a significant threat.
Denial of Service (DoS) attacks: These attacks aim to overload systems and render websites or online services unusable, disrupting business operations.
Internal threats: Sometimes the risk comes from within, for example when employees have unauthorized access to sensitive information.
The consequences of these attacks extend beyond the immediate disruption and financial loss. They can undermine customer confidence, damage a company’s reputation, and lead to long-term revenue losses. In addition, the regulatory penalties for failing to protect data carry their own financial burdens and legal liabilities.
Nine Ways Businesses Can Keep Their Passwords More Secure
As passwords continue to proliferate, there are many ways businesses can protect themselves from cybersecurity threats. Here are the best:
1. Use strong, complex passwords
Encourage passwords that are long (at least 12 characters) and contain a mix of uppercase and lowercase letters, numbers, and symbols. Avoid common words and predictable patterns.
2. Implement two-factor authentication (2FA)
Adding a second layer of security beyond a password significantly reduces the risk of unauthorized access. This could be something the user knows (a password), something the user has (a smartphone or security token), or something the user is (biometric data).
3. Train employees
Regular training sessions on cybersecurity best practices and the latest phishing scams can raise awareness and prepare employees to act safely. Phishing simulations can also be a practical training tool.
4. Update and manage passwords regularly
Use a password manager to generate and store complex passwords. This reduces the burden on people to remember them all and makes it easy to have unique passwords for multiple sites.
5. Enforce password changes after security incidents
While it is generally not recommended to change passwords regularly, it is critical to update passwords immediately following a security breach or suspicious activity.
6. Limit the use of privileged accounts
Ensure that accounts with administrative privileges are only used when needed and have the strictest security measures. Regular audits of user privileges can help prevent abuse and reduce the risk of insider threats.
7. Monitor and respond to breaches
Implementing security tools that detect unauthorized access and other suspicious activity can enable companies to respond quickly to potential breaches. Regularly review security settings and access logs to detect incidents early.
8. Secure wireless networks
Ensure corporate networks, especially Wi-Fi networks, are secure, encrypted, and hidden. Use network firewalls and segment networks to protect sensitive data.
9. Check physical access
Restrict physical access to critical infrastructure to authorized employees. This helps prevent unauthorized personnel from accessing and potentially compromising systems.
The Importance of Cyber Hygiene
Despite advances in cybersecurity and the push for more robust authentication methods over the past few decades, passwords continue to anchor our digital identities. Data from the UK government over the past eight years highlights a stark reality: three in 10 UK businesses aren’t paying enough attention to password security.
This indifference exposes businesses to a spectrum of cyber threats, ranging from data breaches to operational disruptions, that not only incur financial costs but can also undermine trust and damage reputations in the long run. Effective password management is the foundation of cybersecurity. Given the consequences of indifference, it’s clear: implementing cyber hygiene practices isn’t just a technical imperative, it’s a business imperative.
We’ve highlighted the best business VPNs for you.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of TechRadarPro or Future plc. If you’re interested in contributing, you can read more here:
