Many businesses implement password policies to protect access to cloud storage data. Inexpensive to enforce and easy to understand, password policies can seem appealing to small businesses without much technical expertise.

Yet, how effective is your password policy? Will it keep sensitive data safe? The answer is most likely no.

In a recent survey of cloud storage providers, encryption (60%), employee training (58%), and two-factor authentication (53%) won as the top additional security measures implemented by small businesses to secure their cloud storage.

Password policies often fall under the category of employee training. However, additional security measures that require little employee involvement, such as encryption and two-factor authentication, are likely a better barrier for protecting your business’s data in the cloud.

How Do Password Policies Fail?

Password policies encourage or mandate employees to create complex and hard-to-guess passwords that usually change on a regular basis.

These policies can be ineffective for a number of reasons:

People Don’t Like to Remember Things

If you’re given a list of groceries, or a phone number to remember, what’s one of the first things you typically do? Write it down.

That’s what many employees will do with their passwords as well. “People will write [the new password] down on a sticky note instead and stick it on their locker,” said Ghazanfar Ghori, CTO of 10Pearls, a software and mobile app development agency.

No matter how complex a password is, it’s security rapidly decreases if employees are leaving it out for anyone to find.

People are Predictable

If your password policy requires regular updates, employees will likely take the easiest route, opting to change only small parts so it can still be easily remembered.

A 2010 study at the University of North Carolina at Chapel Hill found that people often changed passwords in predictable patterns, called “transformations.” The researchers developed an algorithm that, once knowing any one of a user’s previous passwords, could more easily guess updated passwords.

Thus, that shows that if your passwords are compromised and you require employees to update to new ones, hackers may be able to guess those updated passwords as well.

How Should Small Businesses Secure Cloud Storage?

Rather, you should look to security solutions that involve minimal employee involvement, leaving little room for error.

Two strong security measures fitting this criteria are encryption and two-factor authentication.

Encryption secures data, in the simplest terms, by scrambling it. Encrypted data will read as a meaningless string of nonsense unless you have the “key” to unscramble it.

You may ask – how does one receive a “key?” What if someone intercepts the encryption key?

One of the most popular variations of encryption is using a public and private key for encryption and decryption, respectively. This is known as asymmetric encryption.

A public key can be sent to others and is used to encrypt data. However, each employee has a private key that they should never share. This private key is used to decrypt data. Since the private key isn’t shared, it’s unlikely to be compromised.

“Encryption provides security to data at all times,” said Patrick R., Head of Strategy at Intuz, a mobile app development and cloud solutions company. “Encryption works during data transport or at rest, making it an ideal solution no matter where data is stored or how it is used.”

Two-factor authentication is even simpler to understand. This feature works by requiring users to input information from a third-party source before accessing a service.

For example, you enter your username and password to access your cloud storage. If two-factor authentication is enabled, the cloud storage provider will then send a four digit code to either your email or phone to input.

This means that even if your password is compromised, a hacker will also need access to your text messages or emails to get to the data. This strongly reduces the likelihood of a security breach.

There are much stronger methods for protecting your sensitive data than a simple password policy. Be sure to research your options and ensure you are giving your data the best protection.