How many businesses are just one weak password away from collapse?

Written by Louise Ralston
Aug 1, 2025 - 5 minute read

How one weak password led to a business collapse and why SMEs must prioritise cyber resilience to protect their operations and employees. Discover essential steps for building robust cybersecurity.

One Password, 700 Jobs Lost: Why SMEs Must Rethink Cyber Resilience Now

In 2023, KNP Logistics Group, a 158-year-old UK haulage company, was brought to its knees by a single compromised password. A ransomware attack by the Akira gang encrypted its entire network, froze operations, and demanded a £5 million ransom. With no way to recover, the company folded—700 employees lost their jobs overnight.

This wasn’t a tech failure. It was a failure of resilience.


The Weakest Link: Human Error

KNP had cyber insurance. It had IT infrastructure. But attackers only needed one weak credential to breach the system.

And KNP isn’t alone. The UK’s National Cyber Security Centre (NCSC) now reports a major ransomware attack every day. The common thread? Missed patches. Reused passwords. Poor access control. And a view of cybersecurity as a checkbox exercise, not an operational imperative.

It’s time to move from compliance to resilience.


Resilience Starts With Cyber Hygiene

At Cyber Tec Security, we believe resilience is not a product you buy—it’s a process you build. That process starts with strong foundations, especially when it comes to password security and user authentication.

As of April 2025, the Willow (v3.2) standard for Cyber Essentials has brought modern updates to password guidance. Here’s what it means for you.


Cyber Essentials Password Guidance — Willow-Ready & NCSC-Approved

1. Use Strong, Unique Passwords

  • Require a minimum of 8 characters, ideally 12+

  • Encourage passphrases (e.g. “correct-horse-battery-staple”) or three random words

  • Enforce uniqueness per account — no reuse!

2. Block Brute-Force Attacks

  • Implement account lockouts or rate limiting (e.g. 10 failed attempts in 5 minutes)

  • This is essential even for systems using passwordless login if fallbacks exist

3. Multi-Factor Authentication (MFA)

  • Mandatory for all admin and remote/cloud access accounts

  • Passwordless options like biometric, push notifications, or security keys are now accepted

  • Where passwords exist, combine them with MFA for full coverage

4. Document & Train

  • Maintain a clear password policy

  • Educate your team on common mistakes (e.g. reusing credentials, storing them in browsers)

  • Use password managers or encrypted offline storage options

5. Avoid Expiry Loops

  • NCSC recommends against frequent forced changes — focus on detection, not rotation

  • Only reset passwords after compromise or suspicious activity


A “Cyber MOT” Isn’t Optional Anymore

KNP’s director later called for mandatory cyber “MOTs”—and we agree. One-time audits don’t cut it anymore. Resilience means continuous improvement across three pillars:

1. Certification & Awareness

Start with Cyber Essentials or Cyber Assurance. These frameworks validate your defences, train your staff, and prove accountability to stakeholders.

2. Ongoing Compliance

Run monthly vulnerability assessments and Pen Tests, manage patching, and regularly review access controls and policies.

3. Monitoring & Detection

With SIEM, SOC, and real-time alerts, you'll catch attacks before they escalate.

Cyber Essentials isn’t just a badge—it’s the starting point of a broader cyber maturity strategy.


Cyber Resilience Is a Business Strategy

Whether you’re an SME, MSP, or an enterprise in a regulated sector, cyber threats aren’t slowing down. Attack kits are sold on the dark web. Even helpdesks are being exploited via social engineering.

So, ask yourself:

Would a single compromised password put your business at risk?

For KNP, the answer was yes.

It doesn't have to be that way for you.


Final Thoughts: Don’t Let One Password Bring Down Your Business

Cyber resilience isn’t about fear—it’s about foresight.
It’s about showing your customers, partners, and employees that you're ready for today’s threats and tomorrow’s challenges.

Certification is the first step, not the last.

At Cyber Tec Security, we help businesses like yours build a real cyber roadmap—from first-time certification to monthly testing and managed defence.

Topics: Compliance, Cyber Essentials, Cyber Essentials Plus, Business Security, Cyber Attack, Cyber Security, Assessment, 2MFA, Hack, Assurance, Data Breach, Cyber Resilience

author

More by Louise Ralston

Related articles
Cyber Resilience: A Best Practice Guide for SMEs

Discover essential cyber resilience best practices for SMEs, including insights on the upcoming Cyber Security and Resilience Bill and practical steps to protect your business from cyber threats.

The risks of neglecting cyber resilience

Neglecting cyber resilience can lead to financial losses, reputational damage, and legal repercussions. Learn how to protect your business with a robust cyber resilience strategy.

Here Comes Your Knight in Shinning Armour

UK businesses risk cyber attacks daily. Cyber Essentials & Assurance offer affordable, audited protection before it’s too late.