top of page

Building security from the start

Construction firms know about solid foundations and solid foundations are required within cyber security as well.

Stolen or lost credentials can make a business develop serious cracks, like building on unstable or weak ground.


Just as in the physical world, where keys unlock access to your office building and maybe into secured areas or safes, passwords, in the digital world, have the same purpose, allowing those who have permission to the data they are allowed.


And like the employee who loses their key card and need a replacement, businesses need to have a plan for how they deal with passwords being lost or stolen.


But it’s not as easy as in the physical world.

In the physical world if our keys get stolen and we can’t get into the place we want, it’s obvious, we can’t get in. If our password gets stolen, we still have access everywhere, until a criminal changes that password and locks us out or invites their “friends” to rob the place.


So how do companies know if a password is “lost”?

There are a couple of free services which businesses can sign up for which can give them a heads up if their passwords may have been “misplaced”.

- Haveibeenpwned.com - as well as checking individual emails and telephone numbers against known data breaches, companies can also register their domain names and get notified if they appear in a data breach. This means that you will be able to get the affected password changed, hopefully before a criminal comes knocking.


- NCSC’s Early Warning system – this free service checks data feeds (trusted public, commercial and closed sources) for your domain and IP address, notifying you if anything relevant to your organisation is found.


These should be used as part of your security but you might also want to consider paying a commercial company to actively look for your data on forums, this is commonly known as dark web monitoring. If you are interested in exploring this, some of our Trusted Partners offer this as a service and would be happy to speak to you about it. Contact us today and we can put you in touch.


What else should you be doing?

- Implement 2FA wherever available. That way even if a password is lost, hopefully no one can just use that information. Criminals are now phishing for these credentials as well, so you still need to make it difficult for them to get a password in the first place.

- Staff awareness training – if you teach your staff to protect themselves, they will also be better prepared to protect your business. And it’s not only about that phishing email, what about the physical security of the business? Could someone drop a USB or even send you a USB loaded with malware? Weak, reused passwords are a massive risk to a business but luckily are easy to fix, especially if you give your staff access to password managers.

- Join the ECRC - our free business community provides a “little steps” email series designed to introduce you to the key concepts of cyber resilience along with practical implementation. We also provide guidance to free tools and access to our affordable services when you are ready to move past the fundamentals.

Policing led - Business focused

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page