Why small businesses are primary targets
Small businesses are the most targeted sector for credential-based attacks — not the least. The logic from an attacker's perspective: large enterprises have security teams, endpoint detection, and SIEM tools that make sustained attacks expensive. Small businesses typically have none of these. The attack difficulty is lower, the credential hygiene is usually worse, and cyber insurance coverage (if it exists) means there may be a payout at the end.
The FBI's Internet Crime Report consistently places business email compromise (BEC) and credential theft among the top losses for small businesses. A compromised email account can redirect invoices, authorize wire transfers, and access banking portals. The financial impact of a single credential compromise often exceeds $50,000 for small businesses, primarily through fraudulent transfers that are not recoverable.
The three biggest credential risks
1. Shared passwords across the team. The most common small business credential failure: one password for the company's social media, one for the shared email inbox, one for the accounting software. When an employee leaves, no one changes it. When a breach occurs, it's unclear whose credentials were involved. Shared passwords eliminate accountability and make revocation impossible.
2. Password reuse. The business owner using the same password for personal email, the business bank portal, and the company Wi-Fi router is the norm, not the exception. When any one of these is breached (and personal email accounts are breached constantly), all of them are exposed simultaneously.
3. No offboarding process. An ex-employee who still has login credentials to the company's Shopify store, G Suite account, or QuickBooks is not an abstract risk — it is an active security incident waiting to happen. Departing-employee access revocation is the most consistently overlooked credential control in small businesses.
Writing a simple password policy
You do not need a security team to write a usable password policy. A one-page document is sufficient. The essentials:
- Minimum length: 12 characters for all accounts. 16+ for banking, accounting software, and email.
- No reuse across accounts: Every system gets a unique password. The password manager handles this — employees don't need to memorise unique passwords for each system.
- Password manager required: Specify the approved tool (see next section) and state that it is the required mechanism for storing business credentials.
- MFA on all critical accounts: Define "critical" for your business — typically: email, banking, accounting software, CRM, primary cloud provider.
- No sharing: Each employee has their own credentials to each system. Shared accounts are documented exceptions, managed through the password manager's shared vault feature.
- Offboarding: All access must be revoked within [24 hours] of departure. One person is responsible for this.
Post this somewhere visible. Review it annually. Update it when you add new critical systems to the business.
Choosing a business password manager
A business password manager is the single highest-impact security investment for a small business. It enables unique passwords without cognitive burden, handles team sharing securely, and provides audit logs for compliance purposes.
The main options for small businesses:
| Product | Price | Best for |
|---|---|---|
| 1Password Teams | $4/user/month | Best UX, easiest adoption, excellent support |
| Bitwarden Teams | $3/user/month | Open-source, self-hostable, lower cost |
| Dashlane Business | $8/user/month | Includes dark web monitoring and VPN |
| Keeper Business | $4.50/user/month | Strong compliance reporting features |
Rolling out MFA without IT staff
Multi-factor authentication is the most impactful single control you can add after a password manager. The implementation is straightforward even without a dedicated IT team:
- Prioritise by risk: Start with email (everything else can be reset from email), then banking and accounting, then CRM and customer data systems.
- Choose authenticator apps over SMS: Google Authenticator, Authy, or the MFA built into 1Password are more secure than SMS codes and work offline. Avoid SMS where possible.
- Set a deadline: "All employees will have MFA enabled on company email by [date]." Without a deadline, adoption stalls.
- Enforce at the platform level where possible: Google Workspace and Microsoft 365 both support mandatory MFA policies — turn them on so employees can't opt out.
- Document backup codes: Every MFA setup generates backup codes. Store these in the business password manager, not in someone's personal email.
Handling shared accounts and logins
Some accounts genuinely need to be shared — a company social media account, a shared email inbox, a vendor portal with a single-user license. The secure way to manage these:
- Store shared credentials in a dedicated shared vault in your password manager — all team members access via their individual login to the password manager, not by knowing the actual credential
- When a team member leaves, change the shared credential immediately — this is much easier when it's in a password manager vault than when it's stored in people's heads
- Document every shared account in the vault with context: what it's for, who manages it, when it was last rotated
- Consider whether a shared account can be replaced with individual provisioned accounts — many services that used to require shared logins now offer team plans with individual accounts
When someone leaves
Employee offboarding is where most small business credential disasters originate. A disgruntled ex-employee with access to the business email is a serious incident. A checklist for every departure:
- Suspend or delete their account in your Identity Provider (Google Workspace, Microsoft 365) — this disables all SSO-connected apps simultaneously
- Remove them from the business password manager organisation
- Change all shared credentials they had access to
- Revoke their access in any systems with direct logins (accounting software, banking, e-commerce platforms)
- Recover any company devices and remotely wipe if recovery is not possible
- Review recent activity logs for unusual actions in the 2 weeks before departure
Steps 1 and 2 should happen on their last day, before they hand in their badge. Step 3 should happen within 24 hours. Everything else within one week.
Compliance without an IT department
Many small businesses unexpectedly need to demonstrate basic security compliance — for a customer enterprise contract, a cyber insurance application, or an industry certification. The password controls that come up most frequently:
- Cyber insurance: Most cyber insurers now require MFA on email and banking, a documented password policy, and evidence of a password manager. These are the three baseline controls.
- Customer security questionnaires: Enterprise customers increasingly ask vendors about credential management. "We use 1Password Business with mandatory MFA on all critical systems" is a credible, complete answer.
- SOC 2 (if you're heading there): Start with the password manager and MFA now — you'll need evidence that controls were operational for 6–12 months. Retroactively implementing controls doesn't satisfy a Type II audit.
Quick wins this week
If you do nothing else, do these five things in the next week:
- Sign up for a business password manager and invite your team
- Enable mandatory MFA on your Google Workspace or Microsoft 365 tenant
- Change the passwords on your business banking portal and accounting software to randomly generated 16-character credentials stored in the password manager
- Write a one-page password policy — even if it's just the bullet points from the "Writing a simple password policy" section above
- Create an offboarding checklist and assign one person to own it
These five steps reduce your credential attack surface by an estimated 80%. The remaining 20% is incremental hardening you can address over the following months.