Antivirus vs anti-malware: what’s the difference?

Antivirus vs anti-malware

Antivirus and anti-malware are the basic building blocks for any small and medium enterprise’s (SME) cybersecurity strategy. They’re the most well-known cybersecurity tools, and it’s rare to find a business that doesn’t use one.

But do you know what they protect you from, the difference between an antivirus and an anti-malware, and whether you need both? Let’s explore these key talking points.

Malware vs viruses

Before discussing the merits of the two types of software, we must tackle the difference between viruses and malware. Most people assume that the two things are synonymous. Isn’t ‘virus’ just a slightly dated way to say ‘malware’?

That’s almost correct. However, this is the world of cybersecurity, so things are always a little more complicated than they first appear.

The term ‘virus’ describes malicious code that can reproduce repeatedly – just like a biological virus. The code damages your device by corrupting your system or destroying data. Viruses are also usually considered legacy threats that have existed for a long time, and today’s cybercriminals rarely use them.

On the other hand, malware is an umbrella term that refers to many different threats. These range from ransomware to spyware and even some newer viruses (confusing, we know). The key difference is its novelty. 

The threats under the term malware are new, constantly evolving, and very much in use among modern cybercriminals. So, antivirus software providers have upped their game to protect customers.

Considering cybersecurity certification but not sure where to start? Check out our guide to certifications in the UK.

Antivirus vs anti-malware: the key differences explained

As you might expect, antivirus usually deals with older, more established cyber threats. To illustrate, think of warnings from the noughties – endless error pop-ups, trojan horses, and worm viruses. These attacks typically enter your business through tried and tested routes such as email attachments, corrupted USBs, and other standard cyber threat delivery methods.

These cyber nasties are generally very predictable and easy to counter. However, they can still do plenty of damage if left unchecked. 


Anti-malware software focuses on defending against the latest threats. A good anti-malware protects your business against ransomware, spyware, sophisticated phishing attacks, and zero-day attacks. Anti-malware usually updates its rules faster than an antivirus, making it the best protection against any new threats you might encounter. 

Antivirus vs. anti-malware: which should you choose?

At this point, you might be wondering why you need an antivirus if anti-malware can protect your devices against the most common types of cybercrime

Although this is a valid question, it’s a risky way to approach cybersecurity. Sure, most of the threats covered by antivirus might be dated and rarely used by the bad guys. However, that doesn’t mean they no longer exist or that they can’t still give you a significant cybersecurity headache.

Doing without antivirus is a bit like a state deciding to focus exclusively on protection from nuclear threats while neglecting the potential for invasion by land. It’s a flawed approach that leaves your business open to attack.Instead, it’s better to take a layered approach to your cybersecurity – by which we mean installing antivirus and anti-malware software to protect your business against new and old threats. 

Choosing cybersecurity solutions isn’t an either/or dilemma

Antivirus and anti-malware aren’t mutually exclusive. A truly effective cybersecurity strategy includes tools, training, and measures to counter any threat. Something as simple as a Cyber Essentials certification ensures your business complies with the basic requirements to deter cyber threats. This is because the steps to get qualified include:

  • Data encryption
  • Firewalls
  • User access management
  • Software and operating system updates

You get support and clear step-by-step instructions for mitigating malware in your business so you don’t overlook any vulnerabilities. Learn how easy it is to get certified today.

Cybersecurity certifications

How to achieve Cyber Essentials certification when your business works remotely

If your business has employees who are hybrid or remote workers, you need to ensure their devices are secure and meet the requirements of Cyber Essentials. Cyber Essentials is the UK standard for organisations to follow to remain safe and secure from cybersecurity threats, and its requirements continue to be updated. Here’s how to make sure you’re covered when working remotely.

What are the steps to achieve Cyber Essentials certification remotely?

  1. Make sure your employee networks meet Cyber Essentials requirements
  2. List the equipment that each remote employee is using
  3. Check software and licenses are up to date

What is a network?

Any single device connected to a router can be considered a network. For the purpose of Cyber Essentials, your ‘network’ is the devices linked to share resources, exchange files, or allow communication. 

For example, think of your office printer. Rather than setting up a single printer for every employee, you’ll have a single printer that everyone can use (and you’ll argue over whose turn it is to change the toner). This is the perfect example of a network.

What does a network look like in practice?

Most offices and workplaces use a Local Area Network (LAN). A LAN is usually confined to a small geographic area, say an office in Bow or a warehouse in Bolton. A LAN allows every device within the network to use a single internet connection, share files, and access or control other devices. 

It’s possible to connect everything from printers and phones to smart TVs, speakers, and security cameras. You can even connect the office fridge. 

Unsure which certification is best for you? Check out our guide to cybersecurity certifications in the UK.

How to get Cyber Essentials certified when working remotely

1. Check employee networks meet Cyber Essentials requirements

We’ve just gone through what a network is. However, with remote working, networks might look a little different. 

Any device connected to a router is considered a network. With multiple remote workers, you’ll have multiple networks. 

All you need to do is ensure that each router meets the requirements of cyber essentials. For example, you should ask each employee to change the default password on their router. 

2. List your remote employee equipment 

Question A2.8 of the Cyber Essentials assessment will require you to list all of your network equipment. But don’t worry, it’s pretty simple.

All you need to do is list the equipment each employee is using, as if you were in the office. 

What might this look like in practice? Let’s imagine a company with ten staff working from home. An equipment list will look something like this:

  • 2 x Sky broadband with Sky router
  • 6 x BT broadband with BT hub router
  • 1 x TalkTalk broadband with TalkTalk router
  • 1 x Virgin Media broadband with Virgin Media router

3. Check software and licenses are up to date

Any devices that home workers use to access organisation information should be covered by Cyber Essentials. And the software and licenses you use should be too. 

Make sure that software and licenses are:

  • Up to date, licensed, and supported
  • Removed from devices when they become unsupported
  • Set to update automatically where possible

But what about other elements of the Cyber Essentials assessment process? Fortunately, as the entire assessment can be conducted remotely, you can complete the process no matter where your staff are working from. 

Hopefully, we’ve cleared up most of the confusion surrounding networks and Cyber Essentials. However, if you have any further questions, please don’t hesitate to get in touch with our team. 

And, you can always find out more about which certification is right for you by downloading our guide to cybersecurity certifications in the UK.

Cybersecurity certifications

Why you need a VPN for remote working

VPN for remote working

Despite the common perception, VPNs aren’t just a tool for surfing the shadowy underbelly of the internet. A VPN is a vital defence against cyber threats for anyone working remotely. Here’s why your staff need one. 

What is a VPN?

In simple terms, a VPN (or virtual private network) allows you to connect to business systems securely while using a public network. A ‘public’ network could be the free connection you get on public transport, the WiFI at your favourite cafe, or even your home internet router.

How does a VPN work? 

The best way to think of a VPN is as a ‘tunnel’, used only by you, between your workplace and wherever you’re working from. 

Rather than using the public network, a VPN routes your traffic through specialised servers and encrypts your data. When you connect to the internet via a VPN, all your data is sent through this encrypted tunnel. This has a couple of key advantages over using a public network:

Greater privacy

VPNs obscure your internet activity from your provider and everyone else. This effectively makes you ‘anonymous’ on the internet. Not only is this great for privacy, but it also means your IP address and location are invisible, making it much harder for cybercriminals to intercept confidential company data. 

Improved safety

An encrypted tunnel is very, very difficult to hack. VPN Mentor has produced some interesting research on the subject and concludes that the only way hackers can break VPN encryption is either through a known weakness or by stealing the encryption key (more on encryption keys here).

Essentially, a VPN is a pretty sure-fire way to ensure your business devices aren’t vulnerable to attacks coming from public networks. 

Why should your business use a VPN for remote working? 

We highly recommend using a VPN if you have employees working remotely, but why? You may be wondering whether it’s really necessary. After all, won’t the existing security on employees’ devices protect them? 

Unfortunately, this simply isn’t the case. If your employees are using public networks or their home router it’s likely to be far less secure than your office network. According to a report from BitSight, home office networks are 3.5 times more likely than corporate networks to be infected by malware. 

There’s also the human element to all this. Research shows that many employees, whether consciously or not, engage in riskier behaviour when working from home. For example, sharing confidential files via email instead of the usual, safer channels. Without the added layer of security a VPN offers, this confidential data could easily fall into the wrong hands.

Why you need a VPN for hybrid working too

If you’re planning on adopting ‘hybrid working’ as the norm post-pandemic, VPNs will be essential to keeping your business safe. 

Picture the scenario, one of your sales team has dropped into a coffee shop on the way back from an important meeting. They like the ambience of the place, so they decide to sit and fire off some emails and run through their sales deck while they sip a latte and munch on a croissant. To do this they need to connect to the cafe’s WiFi, an unsecured public network. 

Seems innocent enough, but on this particular day, a hacker is targeting the customers of this coffee shop. They see that your salesperson is working using the cafe WiFI, and that’s all it takes. In a few seconds, the sales deck and confidential data have been stolen. Your business is facing a choice between a PR nightmare or a hefty bill to get it back. 

How do you set up a VPN? 

The first step is to pick a provider. There are hundreds of VPN providers out there each offers slight variations on the same service. Many businesses stick with the major providers such as NordVPN and ExpressVPN and with good reason, both regularly win tech magazine ‘Editors choice’ awards. 

However, if you’re looking for the highest level of anonymity, smaller providers such as Mullvad VPN that require no payment or contact details could be the way to go. If in doubt, check out Tech Radar’s Best VPN Service 2021 list, it compares most of the major providers. 

Once you’ve picked, setting up a VPN is relatively easy. The set-up process is almost universal among VPN providers so it shouldn’t matter which you choose. We won’t go into exactly how you do it here, but this guide from The Verge covers everything you need to know. 

Want to know more about how to switch to hybrid or remote working safely? Download our guide, Cyber Safety in a New Era of Work here.

Remote working CTA

How to shift to working from home permanently without compromising your cybersecurity

Coronavirus has the potential to change the world of work forever.

Unless you’ve spent the last few months consciously avoiding the media, chances are you’ve read that sentence a lot. From morning talk shows to breathless newspaper op-eds, it feels like everyone is talking about the society-wide shift to working from home.

But what started as a necessary evil that many businesses adopted reluctantly has turned into something else. First came announcements from Twitter and Facebook that employees would be allowed to ‘work from home forever’ if they chose. This was followed by a host of other businesses including Google, Amazon, JPMorgan, Captial One, Slack, Salesforce, Microsoft and PayPal extending their work-from-home options.

Why is this happening?

Well, it’s actually very simple. An increasing number of businesses are seeing the real benefits of a more permanent shift to remote working.

Why rent office space for 300 people when you could use a smaller venue for essential meetings at half the cost? Why insist staff make long commutes into the office, when they’re happier and more productive working from home? 

For many organisations, the COVID-19 pandemic has turned these questions from water cooler conversations into key pillars of business strategy. 

If your business is considering making the switch to permanent remote working, are you prepared for the risks you should be aware of? And, how can you overcome them and ensure your people are working safely? 

What risks does working from home present? 

While switching to remote working offers benefits in productivity and real estate savings, it also comes with some risks. Here are a few of the most common. 

Unsecured personal devices 

The first question to ask is: can you be sure your people will follow the same security protocols they would in the office? The networks and security tools your staff use at home are likely to be far less secure than those in the office. Home office networks are 3.5 times more likely than corporate networks to be infected by malware, according to a report from BitSight. 

There may even be a psychological element to this. As ZDNet has reported, 52% of employees believe they can get away with riskier behaviour when working from home. For example, sharing confidential files via email instead of the usual, safer channels. 

Lack of remote-working policies and procedures

Part of the reason employees are exposing themselves to risk at home is simply a lack of knowledge of these risks. The COVID-19 pandemic developed so quickly that many businesses didn’t have time to put in place clear policies and procedures for working from home so employees were literally left to their own devices.

This makes cybersecurity a bit of a guessing game, particularly for the less security-literate of your staff. 

Heightened risk of attack

Cybercriminals are smart but they’re largely opportunistic. And it hasn’t taken them long to figure out that switching to remote working has made businesses vulnerable.

VMWare’s recent Global Threat Report, reveals that 91% of global respondents have seen an increase in cyber attacks as a result of employees working from home. Meanwhile, the proportion of attacks targeting remote workers increased from 12% of all email traffic in March to 60% just six weeks later. 

91% of organisations have seen an increase in cyber attacks as a result of employees working from home.

Keen to exploit our hunger for coronavirus updates, cybercriminals have set up thousands of COVID-19-related ‘news’ sites. These double up as hosts for malware and domain names to launch phishing attacks from. Without the robust controls deployed by most corporate networks, it’s incredibly easy for people working from home to fall into the trap. 

The other area cybercriminals are targeting more regularly is VPNs. VPNs have long been a weak point for cybersecurity. They were only ever intended for small numbers of workers to use occasionally, not whole companies all the time. As a result, many VPNs are insecure and provide cybercriminals with a much wider ‘attack surface’ with which to launch threats

Reliance on the Cloud

We talked about some of the potential issues with cloud storage in a recent blog and, while it’s the safest option for businesses, it’s not invulnerable to attack. 

Working from home naturally increases your reliance on the Cloud. And this isn’t necessarily a bad thing. However, cybercriminals are becoming better all the time at breaking through providers’ defences and intercepting data as it moves between employees’ devices and the cloud. 

How can you overcome these risks? 

We’ve tackled some of the risks involved in switching to working from home, so what can you do about it?

Provide clear policies and encourage communication

This is the most important step on this list. If your people don’t know which behaviours are harmful, they can’t correct them. Ensure all security policies for workers are clear and easy to follow. If you don’t have a remote working security policy, now’s the time to draft one.

Alongside this, work to foster a culture of communication. That way, employees will feel comfortable asking for help with anything they don’t understand and reporting anything suspicious to internal security teams. All too often, security mistakes are made because staff feel ‘silly’ raising their concerns. 

Ensure the right security is in place 

Many of the most common threats can be prevented simply by ensuring your people have the tools they need. Check that all corporate-owned or managed devices are equipped with the best security capabilities. Also, make sure that the security best practices you’d use in the office are extended to the home environment. 

Maintain good password hygiene

Set up a password policy and ensure everyone follows it. Employees should always use complex passwords and two-factor authentication, as well as change passwords regularly. 

Make sure software is up to date

Your employees should regularly install updates and patches for the software on their devices, no matter how much they might enjoy not restarting their laptop for months on end. 

Keep it professional

Encourage your workers to keep work devices for work and personal devices for everything else. Limiting the number of sites employees visit can limit the risk of attack. 

Secure Wi-Fi access points

Network gateways are an underappreciated aspect of good cyber hygiene. Most of us don’t think much about our WiFi once it’s up and running. However, changing the default settings and passwords on a router can reduce the potential of attack from connected devices.

Understand the risks

Hopefully, this article has been some help in identifying some of the risks remote working presents. But it can’t be stressed enough that understanding the risks is key to preventing them. IT teams need to identify the most likely areas of attack and prioritise the protection of areas of your business that cybercriminals could do the most damage to. 

Although the switch to working from home comes with difficulties, it’s also a golden opportunity to remould the way your business functions. Alongside, the obvious real estate savings, remote working promises happier employees, more productive work and greener business practices. Don’t let poor cybersecurity stand in the way of your business embracing the future. 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

Securing a remote workforce: customer spotlight on LegalEdge

LegalEdge had a remote workforce back when it was still a choice. For ten years, LegalEdge has made in-house legal services accessible to small businesses and start-ups using a uniquely flexible model and a completely remote team of lawyers.

Helen Goldberg, COO Legal Edge

We sat down with Helen to learn more about her security needs and how she uses CyberSmart Active Protect with her remote team.

What were the security and/or compliance challenges you were looking to overcome?

For the most part, the challenges we faced stemmed from the fact that all our lawyers work flexibly. On the one hand, with all that is going on now, this has put us in a fortunate position to continue business as usual. However, with everyone working from home or the coffee shop as well as using their own personal devices, this has the potential of leaving many loose ends that threaten our company’s security – a fairly unique challenge that may not be unique for long, and which CyberSmart really worked with us on.

How is security important to your organisation?

As a law firm, we’re obviously incredibly risk averse – Therefore, security has always been important to our company and is something we actively wanted to get better at. Unlike a lot of businesses, most of the people we work with are freelancers, though we have some employed staff. So, we wanted to ensure that we had that extra layer of protection, particularly as they all use their own devices.

How did you discover CyberSmart and why did you select it as your solution?

I’m on a COO network with a lot of fast growth tech companies, which has been a fantastic network for me and for a lot of the COOs on it too. That is how we heard about CyberSmart . There was a lot of discussion around GDPR at the time. The guys at CyberSmart came in and did a presentation for us. As is typical in our industry, we are fairly slow to update on tech, but we just really liked the way CyberSmart did things and how they talked about their product. Because we’ve got a fairly unique setup, it was really important for us to up our game on cybersecurity: they were just really good and helpful for us in what otherwise could have been a bit of a painful process.

Which of CyberSmart’s capabilities are most valuable to you and why?

Just that extra layer of security for our remote workforce. Our model was always flexible, but the CyberSmart guys have really enabled us to embed security into this flexibility. When I used to travel on the tube and log in at the stations to check my emails, there was always that worry that I wasn’t secure. Now I know that I’ve got the level of security that I can have, or that I need to have, to protect myself . You hear about hacking, but you don’t really worry about it until something bad happens – now we don’t have to.

When I used to travel on the tube and log in at the stations to check my emails, there was always that worry that I wasn’t secure… You hear about hacking, but you don’t really worry about it until something bad happens – now we don’t have to.

It has helped us up our game. With less tech-savvy people, you’re never sure what is or is not okay. We might think we’re secure and actually not be. CyberSmart has eliminated this ambiguity for us.

I’m working from a MacBook; some people are working from old PCs… everybody’s on different devices, including iPhones. Regardless, the guys at CyberSmart have all our bases covered. We have some IT support now, but we didn’t when we first started this journey and they were there every step of the way to help us implement it. In order to get the Cyber Essentials certification, we had to pass an important questionnaire.

This required us to put in place a fairly complex policy that explained to our people what they had to do or stop doing. For example, they could not log into their devices from a coffee shop without a secure connection. But then we brought in a VPN, which helped to resolve that issue and the team at CyberSmart worked with us to make sure we were doing all the right stuff along the way.

What kind of cost savings or benefit have you found from increased security?

It was important for us to do better with our cybersecurity, so whilst it is an investment, the cost is reasonable for a business of our size and nature. We liked what CyberSmart offered and how they conducted themselves; the fact that they came recommended from another business we knew was also very reassuring.

What advice can you give someone seeking security solutions around remote working?

Give CyberSmart a call! They have been a hugely helpful partner and their customer service is outstanding. We have clients who say: “I need somebody who’s got my back on these things” and that’s when you outsource to the right people for the right price; that’s exactly what these guys have done for us.

Learn more about how to secure your remote workforce using CyberSmart Active Protect.

Our Head of Engineering talks managing a global remote-only team

Meet Rob Minford our Head of Engineering at CyberSmart. Even though we’re all working from home these days, Rob’s team has always been fully remote and is scattered across the globe.

In this interview with The Remoter Project, Rob talks about the benefits and challenges of working in a remote hybrid company (with some of us in an office and his distributed engineering team).

The Remoter Project is a venture that showcases the human side of remote working and explores how to successfully build and scale remote teams.

Interested in joining our growing team at CyberSmart? Check out our careers page.

Is your remote team making these security mistakes?

Summer days are here. As people begin to gather in the parks again and shops re-open, it’s beginning to feel like life is going back to normal. But for many of us, that normal won’t include going back to the office.

Consulting company Global Workplace Analytics estimates that after the pandemic, 30 percent of the entire workforce will continue to work from home regularly. Armed with Zoom and our Slack channels, we’ve succeeded in proving that a team doesn’t need to be in an office together everyday to get things done.

But while a new remote world is great news for the weary commuter of 2019, it’s also great news for the cyber criminal. Over the past few months, cyber crime increased as hackers take advantage of employees who are used to relying on their offices and IT staff to protect them.

It can be hard to convince staff of the importance of digital security. After all, most people outside of IT tend to think of cyber crime as something planned and targeted- a mastermind hacker out to get critical information from the government or cause trouble for a big corporation.

What would they want with my little business? I’m too insignificant to be targeted for cyber crime. This is the wrong way to think about it. Most cyber criminals are just opportunistic. They didn’t choose to rob your house because they knew you had a stash of cash under the bed (or all your passwords on your desktop). They chose it because you left the door open.

Using unsecured networks, not keeping software up to date, reusing passwords- there are a lot of ways to open the door. Luckily, many of these risks follow similar patterns and can be avoided through a few fundamental security practices. The most effective thing businesses can do right now to protect their data, their employees, and their customers is to educate their workforce on what these are and why they are important.

Here are some of the biggest (but pretty simple) mistakes your remote team might be making:

People having access to data they don’t need
According to data by the UK’s Information Commissioner’s Office, employee error continues to be a leading cause of data breaches. They might fall for a phishing attack or just accidentally send an email with a sensitive attachment to the wrong person.

One way to easily reduce the harm caused by data breaches, is to only give employees access to information they need to do their job. It might be easier to make a folder on Google Drive accessible to everyone in the company, but it also means you’re opening a lot more doors to that data than you need to.

Unsecure networks

While people can be generally pretty savvy in terms of updating their own machines ( laptops etc) they generally forget about their routers after they set them up at home. When you first get a router, it’s important to login to change your usernames and passwords (which can be easy for hackers to find online) and to turn on Wireless Network Encryption.

Employees can also use a VPN (Virtual Private Network) to change their IP address, so hackers can’t see the actual location of their device. It could also allow employees to access company information from personal devices. As a business, encourage employees to follow the same protocols you had in your office in terms of accessing company data.

Out of date software and devices

It’s extremely important to keep all hardware up-to-date – from laptops, routers, servers or the increasing number of IoT devices in the home to protect against things like ransomware attack. Ransomware attacks are among the fastest growing cyber threats (one report projected that in 2021, companies will fall victim to an attack every 11 seconds). Software patches are released all the time to protect against known vulnerabilities but they don’t work if the system is outdated. Making sure you are using up-to-date operating systems and that software is running on the latest version is a critical part of cyber hygiene.

Not taking security seriously

Most people outside of IT have been guilty of this at some point. It’s just simpler to have one password for everything! And my wife’s birthday is the easy to remember! (most of the time). But these little things can have big consequences- particularly when employees are using personal devices for work. A personal phone that has access to the company Slack channel, needs to be just as a secure as a PC in the office.

The majority of breaches are made through simple human error. We weren’t paying attention and accidentally sent an email we shouldn’t have. It’s critical that employees know what data in your business is sensitive and the consequences of a breach.

Lack of education

Sometimes data breaches happen because people just don’t know how to see them coming. For example, as phishing scams become increasingly sophisticated, employees need to know how to spot a suspicious email and how to report it.

Recent reports show that employees aren’t big fans of security. 42% of staff state that their company’s security policies (like having to have an IT admin install new software) make it more difficult to do their job. This is why education is so important.

We launched a page specifically designed to offer resources for small businesses who are transitioning to a remote work environment. These include company policies and a security checklist for employees.

The reality is that in this unstable economic environment, businesses are less likely to invest in their cyber security. But cyber security doesn’t have to be expensive or confusing. This kind of basic cyber hygiene can go a long way in preventing the threats we’re seeing increase on a daily basis.

The dream of working from anywhere in the world may finally be materialising for many. Let’s make sure it happens safely.

Show your customers you value their data by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

Remote working best practices: what makes a strong password?

Still using the password you conjured up for your first email account in 2002 featuring your favourite footballer? We hope not. Passwords play an absolutely essential role in the security of your company and weak passwords are some of the easiest way for hackers to breach your cyber defences through employee accounts.

In this article we’ll be sharing advice on how to avoid this common, but easily avoided, security pitfall.

Minimum password length for systems

For all password-protected systems, your business should try to follow these basic steps when configuring them:

  • The minimum length for a password should be at least 8 characters including all alphabets, symbols, and numbers.
  • There should be no maximum password length.
  • The system should not allow the user to set a password that does not meet the minimum length requirements for it.

The requirements mentioned above are simple to understand but can be difficult to implement. It is important to note that these rules need to be established across all password-protected devices and software.

To meet this requirement, you need to consult with your IT manager to ensure that all devices and software (whether third-party or proprietary) enforce the minimum password length.

Enforce a secure password policy

A password policy is used to establish the rules and requirements for setting passwords. Creating a secure password policy for staff helps businesses protect themselves and allows them to meet the password requirements under the government’s Cyber Essentials certification scheme.

The goal of a password policy is to take away the burden of individual users to create solid passwords. However, users should still be made aware of the password policy so that they pick sensible passwords for their email, devices, and other accounts.

Other than the minimum password length requirement mentioned above, your employees should:

  • Avoid obvious passwords that can be easily discovered or guessed such as their name, phone number, birthdays. That goes for your pet’s name too.
  • Not choose common passwords such as the ‘abcdefgh’, ‘12345678’. This can also be implemented through a blacklist that prevents users from keeping common passwords.
  • Memorise their passwords instead of recording them whenever possible. Don’t email them to yourself or keep them in your Notes.
  • Not use the same password for different accounts. 45% of Brits have the same password for half of their online accounts. Not great.
  • Use password management software or other secure mechanisms for storing and retrieving passwords.
  • Require the system to:
    • Protect against brute-force password guessing algorithms by locking accounts after a set number of unsuccessful attempts to enter the password.
    • Change default or common passwords to random non-guessable passwords.

If you want to see how long it would take a computer to guess your current passwords, check out HowSecureIsMyPassword.


Ensuring the use of strong passwords is a key step towards becoming digitally secure. 

CyberSmart helps businesses comply with Cyber Essentials by simplifying the process of compliance for them including complying with password regulations. If you would like to learn more about how to implement a password policy for achieving Cyber Essentials, get in touch with us.