Share This Article
For businesses with 5 to 200 staff, you might assume that you’re too small to be a target for cyber-criminals.
The opposite is true: many attacks focus on organisations just like yours because they’re perceived as more vulnerable.
Weak password practices are one of the top entry points for an attack.
Many UK businesses we’ve meet are often:
When passwords are treated casually, the consequences can include:
Unauthorised access to systems, data theft or ransomware
Loss of accountability (who logged in, who made the change?)
Compliance failures (e.g., National Cyber Security Centre (NCSC) / UK GDPR / Cyber Essentials implications)
Damage to productivity and business continuity
Stream Our Free Webinar
We went live talking to a variety of UK businesses owners sharing everything you need to know to keep your business safe with secure passwords.
Here’s a breakdown of what you’re risking when you allow or tolerate password sharing among employees:
When your team shares credentials rather than each person having their own login, you weaken security.
Hackers look for weak passwords, reused passwords and shared credentials.
If multiple people use the same account or password, you lose the ability to track who did what. This is a major issue if something goes wrong (accidentally or maliciously).
Many sectors in the UK require businesses to adopt reasonable technical and organisational measures to protect data. Shared passwords can undermine that duty.
Sharing credentials increases the risk of insider threats, whether this is done intentionally or accidental.
If an ex-employee keeps access, or someone uses another person’s credentials, your internal controls become weak and unsecure.
Using a shared login can cause bottlenecks (who changed the password?), confusion, and increased overhead when people leave or change roles.
Strengthening password security doesn’t have to be complicated.
Here’s a practical, business‑ready checklist you can roll out immediately complete with examples to help your team understand what “good” looks like.
A consumer tool isn’t enough for a team environment. Choose a password manager that supports:
Secure password sharing
Access auditing
Role‑based permissions
Centralised admin control
Password managers allow you to share credentials without ever exposing the actual password.
Click here to book a free password manager demo
Give employees access only to the systems they genuinely need.
Example:
Marketing team: access to social media accounts
Finance team: access to accounting software
No one except IT: access to admin consoles
Multi‑Factor Authentication should be mandatory especially for admin or privileged accounts.
Use app‑based MFA (Microsoft Authenticator, Google Authenticator) instead of SMS where possible.
Make it a formal policy: no password sharing via email, chat, WhatsApp, SMS, social media, or phone. Instead of sending a password in Teams, share access securely through your password manager.
When someone leaves or changes role, revoke access immediately and update any shared credentials.
Create a 24‑hour off‑boarding checklist that includes:
Disable accounts
Remove shared vault access
Rotate shared passwords
Run a short awareness session explaining:
Why password sharing is dangerous
How to use the password manager
What the company policy requires
No reuse. No weak passwords. Encourage passphrases or let the password manager generate them.
Example:
Weak: Summer2024!
Strong passphrase: PurpleHedgehogPlaysGuitar
Password‑manager generated: T9!fL2@qP7#x
Review who has access to what and remove anything unnecessary.
You can do this by checking password manager logs monthly to see:
Who accessed shared credentials
Whether any passwords haven’t been rotated
Any unusual login activity
Document your password rules so everyone understands expectations.
Password creation requirements
Sharing rules
MFA requirements
Consequences for non‑compliance
We recommend you to store your policy in your internal knowledge base and require annual acknowledgement.
You need to plan and ensure your team know exactly what to do if a password is leaked or compromised to ensure the fastest possible resolution to minimise disruption on your business.
Example: Your response plan should include:
Immediate password rotation
Revoking affected accounts
Reviewing access logs
Notifying relevant teams
Download Our Free Password Policy Template
If you haven’t already ensure you have a secure password policy in place so that every employee is aware of the guidelines you have set.
If you havent implmented one yet, not to worry!
Download our free template for help getting started.
For a small to medium business, the cost of a single breach (data loss, downtime, reputation loss, regulatory fines) often far outweighs the modest cost of a strong password management solution and a bit of training.
As one UK SME advisor puts it:
Many small businesses treat password management as optional, but when you look at the damages, it’s anything but optional.
Short answer: No, not if you’re sharing them the usual way. Localised, casual sharing (e.g., via email, WhatsApp, Teams) creates risk.
The Best practice is to avoid manual sharing of raw passwords.
The UK Government guidance states: “You should never allow password sharing between users.”
That said: If you must share access, use secure tools/controls rather than handing over the password itself.
Want to explore these secure options?
No, Text message or SMS is generally insecure for sharing passwords.
This is due to messaging apps being vulnerable to being intercepted.
If you want to explore more secure password sharing options click here to book a demo
No, WhatsApp is generally not recommended for sharing passwords even though they promote secure messaging and are a lot further forward than some other apps, this is still not recommended for best practices.
This is due to messaging apps being vulnerable to being intercepted.
If you want to explore more secure password sharing options click here to book a demo
No Text Message both (SMS, MMS as well as iMessage) are generally insecure for sharing passwords. For example:
Messaging apps or text: messages may be intercepted, phones may be compromised.
Want to explore these secure options?
No, any of these types of channels not matter what provider are generally insecure for sharing passwords. For example:
you cannot guarantee the listener is authorised, nor control logging of the password.
Want to explore these secure options?
No Facebook channels are generally insecure for sharing passwords.
For example:
Social media/Instagram/Facebook messaging: not designed for confidential password transmission, risk of account compromise, lack of audit.
In effect, sharing via these channels exposes the password to unnecessary risk.
Instead, use a proper password manager or secure vault that controls access.
Want to explore these secure options?
No Instagram generally insecure for sharing passwords. For example:
Social media/Instagram/Facebook messaging: not designed for confidential password transmission, risk of account compromise, lack of audit. In effect, sharing via these channels exposes the password to unnecessary risk.
Instead, use a proper password manager or secure vault that controls access.
Want to explore these secure options?
The platform itself may be secure, but if you simply write a password in a Trello card or pass it via 3CX chat or phone, you end up with the same risk: uncontrolled exposure, lack of audit, no individual accountability.
A better approach is: each user gets their own credentials, roles/permissions are assigned appropriately, and if a shared account is unavoidable, manage it via a vault.
Want to explore these secure options?
The platform itself may be secure, but if you simply write a password in a Trello card or pass it via 3CX chat or phone, you end up with the same risk: uncontrolled exposure, lack of audit, no individual accountability.
A better approach is: each user gets their own credentials, roles/permissions are assigned appropriately, and if a shared account is unavoidable, manage it via a vault.
Want to explore these secure options?
A robust password policy should include:
Every individual has a unique account for business systems (avoiding shared user accounts).
Requirements for password creation (length, uniqueness, avoid reuse across systems).
Conditions when shared/generic accounts may be used, and how access is managed (e.g., via a vault, logs, regular review).
Use of multi-factor authentication (MFA) or other measures as a standard for critical systems.
Process for changing passwords when someone leaves, a system is compromised, or when a generic/shared account is used.
Training for staff so they understand the risks of password sharing and weak credentials.
Giles Cleverley founded Syn-Star in 2002 shortly after graduating from Portsmouth university with an honours degree in Business & Economics.
His extensive knowledge and experience in IT strategy and business technology solutions. He is passionate about driving innovation and delivering tailored IT support that helps UK small and medium size businesses thrive. Under his leadership, Syn-Star continues to provide cutting-edge managed IT services designed to meet the evolving needs of modern organisations.
Learn more about IT Support
Share this article
Sign up to our newsletter
Partnerships
You’re device is on an Unsupported Windows Operating System for your security, please contact us.
Team Productivity:
You and your team are able to see where they are using their time and how productive they are actually being. Also they are able to clock in and out, so really good for flexi-working.
Team Monitoring:
If you would like to know what your team is doing and how productive they are being, we are able to monitor them and create screenshots of what they are working on. This can be run in normal or stealth mode.
Book a FREE fact finding session to discuss the different options.
We proactively seek opportunities to support good causes for our community.
From sponsoring local community football teams, to engaging with charity fundraiser days, we believe it’s important to continually strive to do good for the better of others.
We have members who volunteer with youth organisations, are engaged with the Round Table, run marathons and volunteer at events where we may be needed. Every charity receives a discounted IT and Telecoms service too.
Protecting your digital data is crucial for every business and this can start with the industry-leading security we offer. The Syn-Star specialists can help with identifying any vulnerabilities within your IT systems and act accordingly to ensure cyber-attacks and data breaches are mitigated.
Your business will never fall behind with its technology when you work with Syn-Star.
We understand IT and Telecoms for your business is an investment, but it’s important to use the best resources available to enable the growth of your business. Our IT Consultancy and Virtual IT Director Services are available to support you with how you use your business technology for years to come.
Syn-Star can conduct quick and easy phishing exercises to identify people within your team who need to improve on their knowledge around fraudulent emails and how they can be alerted to these threats.
At Syn-Star, our experts can proactively work to understand exactly what software you need to support with the business operations. Whether you need a listening ear on what software to choose, or would like to seek some specialist knowledge, we’re here to help where we can.
At Syn-Star, we keep Telecoms simple. There’s so much available to help UK companies with their communications. VoIP systems, fixed landline, cloud phone systems, SIP trunking and more. Contact us for further details.
Desk phones, cordless phones or conference phones, Syn-Star can provide you with whatever you need.
From conference calling facilities to the headsets which work best for your team, we’re able to provide all the equipment you need and complete any telecoms job from start to finish.
There is no need to be in the office to make and receive phone calls from your company’s number. Our market-leading Telecoms platform gives you the flexibility of desk phones, soft phones and mobile apps as standard.
Whether your team works remotely, or perhaps staff are on a business trip anywhere in the world, calls can still be made, and people are reachable via phone wherever they go.
With a range of products, our team can support you by installing exactly what you need for internet connectivity. We work with the very best products to provide speedy bandwidths which play a part in the increased productivity of your team.
