Passwork Blog

Passwork: Secrets management and automation for DevOps

Releases

Latest — Nov 7, 2025

The new version introduces customizable notifications with flexible delivery options, enhanced event logging descriptions, expanded CLI functionality, server-side PIN code storage for the browser extension, and the ability to enable client-side encryption during initial Passwork configuration.

Notification settings

We've added a dedicated notification settings section where you can choose notification types and delivery methods: in-app or via email.

Access notification settings in the Notifications section under Account in the settings menu.

Notification settings include two tabs:

Personal — notifications about your authentication events and actions of other users that affect your account
Activity log — notifications about selected events from the activity log. Notifications for events related to vaults, passwords, and tags are available for vaults with "Read" access level or higher.

You can change your notification email in the Profile and interface settings

Notification delivery methods

For each event, you can independently choose how to receive notifications or disable them entirely.

Use the checkboxes in the two columns to the right of the event name:

Bell icon — in-app notifications in Passwork interface
Envelope icon — email notifications to your specified address

Select the desired checkboxes. Settings apply independently for each event type.

Zero knowledge mode

Added an option to enable client-side encryption (Zero knowledge mode) in the setup wizard during initial Passwork configuration

Zero knowledge mode encrypts all data on the client side, making decryption impossible even if the server is compromised. Each user has their own master password that is never transmitted to the server.

Learn more about Zero knowledge mode in our documentation

PIN code in browser extension

The extension PIN code is now stored encrypted on the server. Every action involving it is recorded in the Activity log. In role settings, you can define an inactivity period after which the extension will require PIN code re-entry.

How it works

Actions on first extension login:

User authenticates in the extension
If PIN code is mandatory for the user's role — a prompt to create one appears
If PIN code is optional — the user can enable it voluntarily for additional protection

After successful login, a temporary access window opens — the user works with the extension without re-entering the PIN code. Window duration depends on role settings and personal preferences. The PIN code is requested again if the user hasn't performed any actions in the extension during the set time period.

If PIN code is mandatory for the user's role, it cannot be disabled

Security

The PIN code is stored encrypted on the server. Even if someone gains access to a user's session token, they cannot open passwords in the extension without the PIN code.

Passwork automatically terminates all sessions when:

PIN code is reset
Three failed entry attempts occur
Mandatory PIN code is enabled for the user's role
User's role is changed to one where PIN code is mandatory

All PIN code actions are recorded in the Activity log

Improvements

Added a confirmation modal window for changing role to Owner and restricted the ability to assign this role to users
Added pagination and change indicators in the hidden vaults modal window
Added error information and update and get commands to the CLI utility (details in documentation)
Added the ability to retrieve current TOTP codes via CLI: the command now returns a one-time code instead of the original key
Improved security dashboard analysis: entries with an empty Password field no longer fall into the Weak category and are not evaluated for complexity
Added an option to limit link validity to one day
Improved display of long names and logins in User management
Improved display of inactive items in dropdown menus
Improved event descriptions in Activity log
Improved data import with large numbers of folders
Improved localization

Bug fixes

Fixed an issue where folders were not created during CSV import, causing passwords to import directly to the root directory
Fixed automatic launch of background tasks for loading groups, users, and LDAP sync when saving changes on the Groups and Synchronization tabs, and when starting manual sync in LDAP settings
Fixed display of pagination items when changing the sidebar width
Fixed an issue where pagination in User management could stop working after using the search bar
Fixed import window freezing when uploading files with large amounts of data and when importing vaults containing only folders
Fixed an issue in export where not all passwords could be exported after selecting all directories with the checkbox
Fixed an issue when bulk deleting large numbers of folders from the Bin
Fixed issues when moving columns: overlapping and extending beyond the visible area
Fixed filtering by invite creator: now it is possible to sequentially select different users without resetting the filter
Fixed an issue where checkboxes in access modals were not reset after canceling changes
Fixed an issue where a vault connection request appeared when connecting a user without access (version with client-side encryption)
Fixed an issue where copy and move folder to another vault options were unavailable if folder access was granted through a group without access to the root directory
Fixed an issue where the Move option remained available for folders in directories with "Full access" rights
Fixed an issue where the active tab reset to Users after refreshing the User management page
Fixed an issue in JSON import with structure preservation where passwords from folders could move to the root directory
Fixed KeePass XML import issues when the <UUID> tag is missing and custom fields transfer incorrectly
Fixed an issue where the first password edition was not saved after migration from version 6.x.x
Fixed an issue where attachments stopped downloading from links after preparing for migration in version 5.4.2, with the problem persisting after updating to version 7.x.x
Fixed an issue where links in the access window stopped displaying for some vaults and passwords after updating to version 7.x.x
Fixed an issue in migration from version 6.x.x where user IDs displayed instead of user names in notifications
Fixed user manual links: they now open in a new tab and lead to correct pages
Fixed an issue where favicon failed to display correctly when changing the URL to a site with an unavailable favicon
Fixed an issue where selected items remained highlighted after copying folders by drag-and-drop
Fixed the display of the default role in user creation and confirmation windows
Fixed an issue where the TOTP code would only update after reopening the password card when the key was changed

Other changes

Changed default values for "Access to vault actions" section in Vaults settings
Hidden the "Password sent to group" item from the actions filter in Activity log (version with client-side encryption)
Hidden the Edit menu item in the password send window for users without the appropriate access rights
Hidden the "Connect mobile device" menu item for users who have mobile app usage restricted by their role settings

You can find all information about Passwork updates in our release notes

Passwork 7.2 release

InfoSec

Oct 30, 2025 — 19 min read

The ultimate small business cybersecurity checklist for 2025

Introduction
Quick takeaways
SMB cybersecurity: 2025 snapshot
NIST cybersecurity framework
GOVERN: Establish your cybersecurity foundation
IDENTIFY: Know what you need to protect
PROTECT: Implement your core defenses
DETECT: Monitor for suspicious activity
RESPOND: Plan for a security incident
RECOVER: Ensure business continuity
Frequently Asked Questions
Conclusion

Introduction

60% of small businesses that suffer a cyberattack shut down within six months. That is a reality documented by the U.S. Securities and Exchange Commission.

Small and medium-sized businesses have become prime targets for cybercriminals. The reason? These organizations hold valuable customer data, financial records, and intellectual property, yet they often lack the dedicated security teams and enterprise-grade defenses of larger corporations.

But here's the good news: you don't need a Fortune 500 budget to build robust defenses. What you need is a systematic approach, starting with the fundamentals and building from there.

This guide provides a comprehensive, step-by-step cybersecurity checklist based on the National Institute of Standards and Technology (NIST) framework — the same standard used by government agencies and major corporations. We'll walk you through everything from securing passwords and training employees to creating an incident response plan, with a focus on practical solutions that actually work.

Quick takeaways

The 7 most critical actions to protect your business:

Enable multi-factor authentication (MFA) on all business accounts and systems
Train your team quarterly on phishing recognition and security best practices
Implement the 3-2-1 backup rule and test your backups monthly
Create an incident response plan before you need it
Conduct a risk assessment to identify your most valuable assets and biggest vulnerabilities
Deploy a password manager to eliminate weak and reused passwords across your organization
Keep all software patched and updated with automatic updates wherever possible

SMB cybersecurity: 2025 snapshot

SMBs are prime targets

46% of all cyber breaches impact businesses with fewer than 1,000 employees, and 43% of SMBs faced at least one cyber attack in the past 12 months (October 2025). These statistics represent real businesses, many of which never recovered.

Cybercriminals target small businesses because they’re often the path of least resistance. These organizations have valuable data but typically lack dedicated security staff, making them an attractive target with a high probability of success.

Financial impact

The average cost of a data breach for a small business ranges from $120,000 to $1.24 million, according to research from Verizon. IBM's 2025 Cost of a Data Breach Report places the global average even higher at $4.44 million.

But the financial damage extends beyond immediate costs. Factor in lost business, damaged reputation, legal fees, regulatory fines, and the operational disruption of recovering from an attack, and the true cost becomes existential for many small businesses.

Top threats in 2025

Ransomware: Ransomware remains the most damaging attack type for small and medium-sized businesses. In 2025, 88% of all SMB breaches involved ransomware attacks, significantly exceeding the 39% rate seen in larger enterprises. 47% of small businesses (with annual revenue under $10 million) were hit by ransomware in the last year, with 75% of SMBs stating they could not continue operating if successfully attacked.

Phishing and social engineering: Deceptive emails and messages designed to trick employees into revealing credentials or transferring money. 95% of breaches involve human error, making this the most common attack vector.

Business Email Compromise (BEC): Sophisticated scams where attackers impersonate executives or vendors to authorize fraudulent wire transfers. The FBI reported BEC losses of $2.77 billion in 2024 across 21,442 complaints.

NIST cybersecurity framework

Rather than approaching security in an ad hoc manner, this guide follows the National Institute of Standards and Technology (NIST) Cybersecurity Framework — a structured, systematic approach used by organizations worldwide.

The framework consists of six core functions:

GOVERN: Establish policies, assign responsibilities, and understand your risk landscape
IDENTIFY: Know what assets you need to protect and where your vulnerabilities lie
PROTECT: Implement safeguards to ensure delivery of critical services
DETECT: Develop capabilities to identify cybersecurity events quickly
RESPOND: Take action when a security incident is detected
RECOVER: Restore capabilities and services impaired by an incident

This systematic approach ensures you're not just implementing random security measures, but building a comprehensive defense strategy that addresses all aspects of cybersecurity.

GOVERN: Establish your cybersecurity foundation

Step 1. Create a cybersecurity policy

A cybersecurity policy is your organization's rulebook for security. It defines acceptable behavior, establishes standards, and sets clear expectations for everyone in your company.

Your policy should cover:

Acceptable use: What employees can and cannot do with company devices, networks, and data. This includes guidelines on personal use of company equipment, prohibited websites, and acceptable software installations.
Password policy: Requirements for password strength, uniqueness, and management. Specify that employees must use unique passwords for each account, never share credentials, and store passwords only in approved password managers.
Data handling: How to classify, store, share, and dispose of different types of company and customer data. Define what constitutes confidential information and how it should be protected.
Incident reporting: Clear procedures for reporting suspected security incidents, including who to contact and what information to provide.

You don't need a 50-page document. A clear, concise 3-5 page policy that employees actually read and understand is far more valuable than a comprehensive document that sits unread in a shared drive.

Step 2. Conduct a risk assessment

A risk assessment helps you identify your most valuable assets and your biggest vulnerabilities so you can prioritize your security investments.

Start by asking:

What data would be most damaging if stolen or destroyed? (Customer records, financial data, intellectual property, employee information)
Which systems are critical to daily operations? (Email, CRM, payment processing, file servers)
What are our biggest vulnerabilities? (Outdated software, lack of MFA, untrained employees, poor backup procedures)
What would be the business impact of various incidents? (Ransomware, data breach, extended downtime)

The FCC's Small Biz Cyber Planner provides a free, guided assessment tool specifically designed for small businesses. It takes about 30 minutes and generates a customized action plan.

Step 3. Address compliance requirements

Depending on your industry and location, you may have legal obligations for data protection:

GDPR (General Data Protection Regulation): If you handle data of EU residents, you must comply with strict data protection and privacy requirements, including breach notification within 72 hours.
HIPAA (Health Insurance Portability and Accountability Act): Healthcare providers and their business associates must protect patient health information with specific technical, physical, and administrative safeguards.
PCI DSS (Payment Card Industry Data Security Standard): If you accept credit card payments, you must comply with PCI DSS requirements for protecting cardholder data.
SOX (Sarbanes-Oxley Act): Publicly traded companies must implement controls to ensure the accuracy and security of financial data, including IT systems that store or process financial information.

Non-compliance is a business risk. GDPR fines can reach €20 million or 4% of annual global turnover, whichever is higher. HIPAA violations can result in penalties up to $1.5 million per violation category per year.

Step 4. Consider cyber insurance

Cyber insurance can help cover the costs of a breach, including forensic investigation, legal fees, customer notification, credit monitoring services, and business interruption losses.

However, insurance isn't a substitute for good security practices. Insurers increasingly require evidence of basic security controls, like MFA, employee training, and regular backups before issuing coverage. Premiums have also risen significantly, with some businesses seeing increases of 50-100% in recent years.

Before purchasing, understand exactly what's covered and what's excluded. Many policies don't cover ransomware payments or have significant limitations on business interruption coverage.

IDENTIFY: Know what you need to protect

Step 5. Inventory your hardware and software

Create and maintain an inventory of all devices and applications connected to your network:

Hardware: Computers, laptops, servers, mobile devices, routers, switches, printers, IoT devices
Software: Operating systems, business applications, cloud services, browser extensions

Include details like device owner, operating system version, software version, and last update date. This inventory serves multiple purposes: identifying outdated or unsupported systems, tracking devices when employees leave, and understanding your attack surface.

Many endpoint management tools can automate this inventory process. For smaller businesses, a simple spreadsheet updated quarterly may suffice.

Step 6. Classify your data

Not all data requires the same level of protection. Classify your data into categories to prioritize security efforts:

Public: Information intended for public consumption (marketing materials, published content)
Internal: Information for internal use that wouldn't cause significant harm if disclosed (internal memos, general business documents)
Confidential: Sensitive information that could cause significant harm if disclosed (customer data, financial records, employee information, trade secrets, intellectual property)
Restricted: Highly sensitive information subject to regulatory requirements (payment card data, health records, personally identifiable information)

Once classified, implement appropriate controls for each category. Confidential and restricted data should be encrypted, access should be limited to those with a business need, and handling procedures should be clearly documented.

PROTECT: Implement your core defenses

Step 7. Secure your passwords

Weak and compromised credentials are the leading cause of data breaches. 86% of breaches involved stolen or compromised credentials, according to Verizon's 2024 Data Breach Investigations Report.

The problem is simple: humans are terrible at creating and remembering strong, unique passwords. The average person has 100+ online accounts but uses the same handful of passwords across many of them. When one site is breached, attackers use those credentials to access other accounts — a technique called credential stuffing.

The solution: Password managers

A password manager is the single most impactful security tool you can deploy. It generates strong, unique passwords for every account, stores them in an encrypted vault, and automatically fills them when needed.

For businesses, a password manager like Passwork provides:

Centralized password management: Store all company credentials in a secure, encrypted vault accessible only to authorized team members.
Password generation: Create cryptographically strong passwords of 15+ characters with mixed case, numbers, and symbols — passwords that are virtually impossible to crack through brute force.
Secure sharing: Share credentials with team members without exposing the actual password. When an employee leaves, revoke access instantly without changing dozens of passwords.
Security dashboard: Identify weak, reused, or compromised passwords across your organization. Passwork's Security Dashboard provides visibility into your password hygiene and helps prioritize remediation efforts.
Audit trail: Track who accessed which credentials and when, providing accountability and helping investigate potential security incidents.

Even with a password manager, establish minimum standards:

Minimum 15 characters (longer is always better)
Unique for every account (never reuse passwords)
Randomly generated (no dictionary words, personal information, or predictable patterns)
Stored only in the password manager (never in browsers, spreadsheets, or sticky notes)

Step 8. Enforce Multi-Factor Authentication (MFA)

Multi-factor authentication requires two or more verification methods to access an account: something you know (password), something you have (phone or security key), or something you are (fingerprint or face).

Enable MFA immediately on:

Email accounts (your email is the key to resetting all other passwords)
Financial and banking systems
Cloud storage and file sharing
Administrative and privileged accounts
Any system containing sensitive data

MFA is extraordinarily effective. Microsoft research shows that MFA can prevent 99.9% of account compromise attacks. Even if an attacker steals a password through phishing or a data breach, they still can't access the account without the second factor.

Step 9. Train your employees

Technology alone cannot protect your business. 95% of breaches involve human error — an employee clicking a phishing link, falling for a social engineering scam, or misconfiguring a system.

Training program structure:

Onboarding training: All new employees should complete security awareness training within their first week. Cover the basics: password security, phishing recognition, physical security, acceptable use policy, and incident reporting.
Annual refresher training: Security threats evolve. Conduct comprehensive refresher training at least annually to cover new threats, reinforce fundamentals, and update employees on policy changes.
Phishing simulations: Send simulated phishing emails quarterly to test employee awareness and identify individuals who need additional training. This provides measurable data on your organization's security posture and keeps security top-of-mind.
Targeted training: When employees fall for simulated phishing or make security mistakes, provide immediate, constructive training rather than punishment. The goal is learning, not blame.

Key topics to cover:

Phishing recognition: How to identify suspicious emails, including checking sender addresses, hovering over links before clicking, watching for urgency and fear tactics, and verifying requests through alternative channels.
Social engineering: Tactics attackers use to manipulate people into divulging information or taking actions, including pretexting, baiting, and tailgating.
Password security: The importance of unique passwords, using the company password manager, never sharing credentials, and reporting suspected compromises.
Physical security: Locking screens when away from desks, securing mobile devices, proper disposal of sensitive documents, and challenging unknown individuals in the office.
Incident reporting: How to report suspected security incidents, who to contact, and the importance of reporting quickly even if unsure.

Make training engaging and relevant. Use real-world examples, keep sessions short (15-20 minutes), and relate threats to scenarios employees actually encounter.

Step 10. Secure your network

Your network is the foundation of your digital infrastructure. Securing it prevents unauthorized access and protects data in transit.

Firewall: A firewall acts as a barrier between your internal network and the internet, blocking unauthorized access while allowing legitimate traffic. Modern firewalls provide additional features like intrusion prevention, application control, and threat intelligence integration.

Ensure your firewall is:

Properly configured with rules that follow the principle of least privilege
Regularly updated with the latest firmware
Monitored for suspicious activity

Wi-Fi security: Wireless networks are convenient but create additional security risks.

Use WPA3 encryption (or WPA2 if WPA3 isn't available)
Change the default administrator password on your router
Disable WPS (Wi-Fi Protected Setup)
Hide your SSID if appropriate for your environment
Create a separate guest network isolated from your business network

VPN (Virtual Private Network): With remote work now standard, VPNs are essential. A VPN encrypts all internet traffic between remote employees and your business network, protecting sensitive data from interception.

Require all remote employees to use the company VPN when accessing business systems or handling sensitive data. Choose a reputable business VPN provider with strong encryption (AES-256), a no-logs policy, and support for modern protocols like WireGuard or OpenVPN.

Step 11. Protect your endpoints

Endpoints (computers, laptops, mobile devices) are where employees interact with your systems and data. They're also common entry points for malware and other threats.

Antivirus and Endpoint Detection and Response (EDR): Traditional antivirus is no longer sufficient. Modern threats require more sophisticated detection capabilities.

EDR solutions go beyond signature-based detection to identify suspicious behavior, contain threats automatically, and provide detailed forensics for investigation. While enterprise EDR can be expensive, several vendors now offer affordable solutions designed for small businesses.

At minimum, ensure every device has:

Modern antivirus/anti-malware software
Real-time scanning enabled
Automatic updates configured
Regular full system scans scheduled

Patch management: 60% of breaches involve unpatched vulnerabilities. Attackers actively scan for systems running outdated software with known vulnerabilities.

Implement a patch management process:

Enable automatic updates for operating systems and applications wherever possible
Prioritize critical security patches (apply within 48 hours of release)
Test patches in a non-production environment if possible, but don't let testing delay critical security updates
Maintain an inventory of all software to track patch status
Pay special attention to internet-facing systems and applications

Mobile Device Management (MDM): If employees use mobile devices for work, implement MDM to enforce security policies, encrypt data, enable remote wipe capabilities, and ensure devices stay updated.

Step 12. Back up your data

The 3-2-1 Backup Rule:

3 copies of your data (the original plus two backups)
2 different media types (e.g., local disk and cloud storage)
1 copy offsite (protected from physical disasters like fire or flood)

What to back up:

All business-critical data and databases
Email systems and archives
Financial records and customer data
Configuration files and system images
Intellectual property and work product

Backup frequency:

Critical systems: Daily or continuous
Important data: Daily
Less critical data: Weekly

Retention period: Keep multiple versions spanning at least 30 days. This protects against ransomware that remains dormant before activating, ensuring you have clean backups from before the infection.

Immutable backups: Configure backups to be immutable (cannot be modified or deleted) for a specified period. This prevents ransomware from encrypting your backups along with your production data.

Test your backups: Untested backups are just expensive storage. Conduct restoration tests quarterly to verify:

Backups are completing successfully
Data can be restored within acceptable timeframes
Restored data is complete and usable
Restoration procedures are documented and understood

Step 13. Control access to data

Not everyone needs access to everything. The Principle of Least Privilege states that users should have only the minimum access necessary to perform their job functions.

Role-Based Access Control (RBAC): Define roles based on job functions and assign permissions to roles rather than individuals. When someone changes positions, you simply change their role assignment rather than adjusting dozens of individual permissions.

Through Passwork's role-based permission system, administrators can define exactly who has access to which credentials, implement the principle of least privilege at the password level, and enforce separation of duties.

Regular access reviews: Conduct quarterly reviews of who has access to what. Remove access for departed employees immediately, adjust access for employees who changed roles, and revoke unnecessary permissions.

Privileged account management: Administrative accounts have extensive system access and are prime targets for attackers.

Limit the number of users with administrative privileges
Use separate accounts for administrative tasks (never use admin accounts for daily work)
Require MFA for all privileged accounts
Log and monitor all privileged account activity
Implement just-in-time access that grants elevated privileges only when needed and automatically revokes them after a specified period

When an employee changes roles or leaves the company, Passwork makes it possible to instantly revoke access to all relevant credentials without the need to change dozens of passwords across multiple systems. Audit logs track every credential access, providing the accountability and visibility required for compliance and security investigations.

Shared account elimination: Eliminate shared accounts wherever possible. Every user should have their own credentials for accountability and audit purposes. When shared accounts are unavoidable (legacy systems), use a password manager like Passwork to control access and maintain an audit trail of who accessed the credentials and when.

Passwork provides centralized control over credential access across the organization. Through Passwork's role-based permission system, administrators can define exactly who has access to which credentials, implement the principle of least privilege at the password level, and enforce separation of duties through Vault types.

DETECT: Monitor for suspicious activity

Assume that determined attackers will eventually find a way in. Your goal is to detect and respond before they can cause significant damage.

Step 14. Monitor your systems

Implement logging and monitoring for:

Failed login attempts: Multiple failed logins may indicate a brute-force attack or compromised credentials.
Unusual access patterns: Logins from unexpected locations, access to unusual resources, or activity outside normal business hours.
System changes: New user accounts, permission changes, software installations, or configuration modifications.
Network traffic anomalies: Unusual outbound traffic, connections to suspicious IP addresses, or large data transfers.

For small businesses without dedicated security staff, consider:

Security Information and Event Management (SIEM): Cloud-based SIEM solutions designed for SMBs can aggregate logs, identify anomalies, and alert you to potential incidents. Many offer affordable pricing tiers for small businesses.
Managed Detection and Response (MDR): Outsource monitoring to a security provider who watches your systems 24/7 and alerts you to threats. This provides enterprise-grade detection capabilities at a fraction of the cost of building an internal security operations center.

Step 15. Implement intrusion detection (For advanced SMBs)

As your business grows and your security maturity increases, consider deploying Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS).

These systems monitor network traffic for malicious activity and known attack patterns. IDS alerts you to threats, while IPS can automatically block malicious traffic.

For most small businesses, this is a secondary priority after implementing the fundamental controls outlined above. Focus first on the basics before investing in more advanced detection capabilities.

RESPOND: Plan for a security incident

Having a plan in place before an incident occurs dramatically reduces response time, limits damage, and improves recovery outcomes. Yet 47% of SMBs lack an incident response plan.

Step 16. Create an Incident Response (IR) plan

An incident response plan is your playbook for handling security incidents. It defines roles, establishes procedures, and ensures everyone knows what to do when an incident occurs.

The 6-step incident response lifecycle:

1. Preparation

Develop and document your IR plan
Assemble your IR team and define roles
Establish communication procedures
Prepare tools and resources needed for response
Conduct training and tabletop exercises

2. Detection and analysis

Identify potential security incidents through monitoring, alerts, or user reports
Determine if an actual incident has occurred
Assess the scope, severity, and type of incident
Document all findings and actions taken

3. Containment

Short-term containment: Immediately isolate affected systems to prevent spread (disconnect from network, disable compromised accounts)
Long-term containment: Implement temporary fixes to allow systems to continue operating while preparing for recovery
Preserve evidence for investigation and potential legal action

4. Eradication

Remove the threat from your environment (delete malware, close vulnerabilities, remove unauthorized access)
Identify and address the root cause
Ensure the threat is completely eliminated before proceeding to recovery

5. Recovery

Restore systems and data from clean backups
Verify systems are functioning normally
Monitor closely for signs of persistent threats
Gradually return systems to production

6. Lessons learned

Conduct a post-incident review within two weeks
Document what happened, what worked, and what didn't
Update your IR plan based on lessons learned
Implement improvements to prevent similar incidents

Key components of your IR plan:

Incident classification: Define severity levels (Low, Medium, High, Critical) with clear criteria and corresponding response procedures.

Contact information: Maintain an updated list of internal team members, external partners (IT support, legal counsel, cyber insurance provider, law enforcement), and key vendors.

Communication procedures: Who communicates what to whom? How do you notify customers of a breach? What's your media response strategy?

Legal and regulatory requirements: Understand breach notification requirements for your jurisdiction and industry. Many regulations require notification within specific timeframes (GDPR: 72 hours, many U.S. state laws: 30-60 days).

Evidence preservation: Document procedures for preserving evidence for investigation and potential legal action.

RECOVER: Ensure business continuity

Step 17. Develop a Business Continuity Plan (BCP)

While your incident response plan focuses on the technical response to a security incident, your business continuity plan addresses how your business will continue operating.

Your BCP should address:

Critical business functions: Identify which business functions are essential and must continue during an incident (e.g., customer service, order processing, payroll).
Recovery Time Objectives (RTO): How quickly must each system or function be restored? Different systems have different priorities.
Recovery Point Objectives (RPO): How much data loss is acceptable? This determines your backup frequency.
Alternative procedures: How will you perform critical functions if primary systems are unavailable? This might include manual processes, alternative systems, or temporary workarounds.
Communication plan: How will you communicate with employees, customers, vendors, and partners during an extended outage?
Succession planning: Who makes decisions if key personnel are unavailable?

Step 18. Test your recovery procedures

Plans that aren't tested are just documents. Conduct regular tests of your recovery procedures:

Tabletop exercises: Gather your team and walk through incident scenarios. Discuss how you would respond, identify gaps in your plan, and clarify roles and responsibilities. Conduct these exercises at least annually.
Technical tests: Actually restore systems from backups, fail over to alternative systems, and verify that recovery procedures work as documented. Test quarterly for critical systems.
Full-scale simulations: For mature organizations, conduct realistic simulations that test your entire response and recovery capability. These are resource-intensive but provide invaluable insights.

Document the results of all tests, identify areas for improvement, and update your plans accordingly.

Frequently Asked Questions

How much should a small business spend on cybersecurity?

Industry guidelines suggest allocating 3-10% of your IT budget to cybersecurity, with the percentage increasing based on your risk profile and industry. For a small business with a $50,000 annual IT budget, this translates to $1,500-$5,000 per year.

However, don't let budget constraints prevent you from implementing basic security. The fundamental controls — password manager, MFA, employee training, and backups — cost less than $5,000 annually for most small businesses and provide the majority of risk reduction.

What is the most common cyber attack on small businesses?

Phishing is the most common attack vector, involved in 85% of breaches according to Cyber security breaches survey 2025. Phishing attacks trick employees into revealing credentials, downloading malware, or transferring money.

Ransomware is the most damaging attack type for small businesses, with attacks increasing 68% in 2024. The average ransomware payment demanded from small businesses is $200,000, though many organizations pay significantly more when downtime costs are included.

Do I need cyber insurance?

Cyber insurance can be valuable, but it's not a substitute for good security practices. Insurance helps cover costs after a breach, but it doesn't prevent the operational disruption, reputational damage, and customer trust issues that come with an incident.

Consider cyber insurance if:

You handle sensitive customer data
You're in a high-risk industry (healthcare, finance, retail)
You have significant revenue that would be impacted by downtime
You want to transfer some financial risk

Before purchasing, implement basic security controls. Many insurers now require evidence of MFA, employee training, and regular backups before issuing coverage.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a voluntary framework developed by the National Institute of Standards and Technology to help organizations manage cybersecurity risk. It provides a common language and systematic approach to cybersecurity through six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.

The framework is flexible and scalable, making it appropriate for organizations of all sizes, from small businesses to large enterprises and government agencies.

How often should we conduct security training?

At minimum, conduct comprehensive security awareness training annually for all employees. However, best practice includes:

Initial training during onboarding (within first week)
Annual comprehensive refresher training
Quarterly phishing simulations
Immediate targeted training when employees fail simulations or make security mistakes
Ad-hoc training when new threats emerge

Security awareness is not a one-time event—it's an ongoing process. Regular reinforcement keeps security top-of-mind and helps employees recognize evolving threats.

What should we do if we're hit by ransomware?

If you suspect a ransomware infection:

Immediately isolate affected systems from the network
Do not pay the ransom (payment doesn't guarantee data recovery and funds criminal activity)
Activate your incident response plan
Contact law enforcement (FBI, local authorities)
Notify your cyber insurance provider if you have coverage
Engage cybersecurity experts to contain the threat and investigate
Restore from clean backups once the threat is eradicated

This is why having tested backups and an incident response plan is critical — they provide options other than paying the ransom.

How do we know if our current security is adequate?

Conduct a security assessment using the NIST Cybersecurity Framework or the CIS Critical Security Controls as a benchmark. Ask:

Do we have a password manager and is MFA enabled on all critical systems?
Do we conduct regular security training and phishing simulations?
Do we have tested backups following the 3-2-1 rule?
Do we have an incident response plan?
Are all systems patched and up-to-date?
Do we monitor systems for suspicious activity?
Have we conducted a risk assessment in the past year?

If you answered "no" to any of these questions, you have gaps to address. Consider engaging a third-party security assessor for an objective evaluation of your security posture.

Conclusion

Cybersecurity can feel overwhelming, especially for small businesses without dedicated IT security staff. But the reality is that you don't need enterprise-grade tools or a massive budget to significantly reduce your risk.

What you need is a systematic approach: start with the fundamentals, build from there, and continuously improve. The NIST Cybersecurity Framework provides that structure, guiding you through governance, identification, protection, detection, response, and recovery.

The threats are real, and the statistics are sobering. But so is the opportunity. By implementing the controls outlined in this checklist, you'll be far ahead of most small businesses, and far less attractive to attackers who seek the path of least resistance.

Cybersecurity is an ongoing process of assessment, implementation, monitoring, and improvement. Start today with the highest-impact, lowest-cost controls: deploy a password manager, enable MFA, train your team, and implement robust backups.

Ready to take the first and most critical step? Secure your company's passwords today with a free trial of Passwork.

Small business cybersecurity checklist for 2025

Releases

Sep 24, 2025 — 2 min read

In the new version, we've improved the migration process from older versions of Passwork, enhanced descriptions in the Activity log, and made minor fixes to the UI and localization.

Improvements

Added a restriction that blocks users from changing their own authorization type
Improved migration to Passwork 7 for versions earlier than 5.3
Improved descriptions for certain events in the Activity log

Bug fixes

Fixed an issue where it was impossible to move a folder to the Bin via drag-and-drop if the "Access level required to copy folders and passwords" setting was set to "Action forbidden"
Fixed duplicate "Save settings" button in Vault settings
Fixed the display of parameter change indicators in Vault settings and User management in Safari browser
Fixed incorrect redirect to Recents after successful extension authorization

You can find all information about Passwork updates in our release notes

Passwork 7.1.4 release

Passwork

Sep 19, 2025 — 8 min read

What are vault types
Basic vault types
Advantages of vault types
Managing vault types
Migration from previous versions
Frequently asked questions
Basic use cases
Conclusion: Data control and efficiency

Vault types

Passwork 7.1 introduces a robust vault types architecture, providing enterprise-grade access control for enhanced security and management. Vault types address a key challenge for administrators: controlling data access and delegating vault management across large organizations. Previously, the choice was limited to two types. Now, you can create custom vault types tailored to any task or organizational structure.

For each department or project, you can create a dedicated vault type, assign specific administrators, choose creator permissions, and define who can create vaults of this type.

For example, you can create separate vaults for IT department, finance, HR, or temporary project teams. Administrators assigned to a specific vault type will be automatically added to all new vaults of this type, ensuring constant control and transparency.

What are vault types

Vault types allow administrators to establish vault templates with predefined access management settings. For each vault type, you can designate specific administrators, configure vault creator permissions, and set rules or restrictions for creating new vaults.

You can organize vaults by department, project, or access level, ensuring that permissions are assigned accurately

When a vault is created, administrators specified in the vault type settings are automatically granted access. These administrators cannot be removed or demoted, ensuring that key personnel — such as department heads or IT administrators — always retain control over critical data.

Basic vault types

Passwork has two basic vault types: User vaults and Company vaults — they cannot be deleted or renamed:

User vaults: By default, these are accessible only to their creators and are categorized as either private or shared. A private vault becomes shared when the owner of this vault grants access to other users.
Company vaults: These vaults are available to both the creator and corporate administrators, who are automatically assigned access. Corporate administrators cannot be removed or demoted, ensuring continuous oversight and control.

Besides basic types, you can create unlimited custom vault types.

Advantages of vault types

Vault types empower Passwork administrators to control who can create vaults, automatically assign administrators who cannot be removed, and effectively manage creator permissions.

Constant control: New vaults of a specific type automatically include non-removable administrators, ensuring continuous access to critical data and consistent security standards across all vaults of the same type.
Permission flexibility: You can allow users to create vaults while restricting certain actions, such as prohibiting them from inviting other users.
Delegation: Vault types enable granular permission distribution — for example, the IT director can manage IT vaults, while the sales director oversees sales department vaults.
Audit and analysis: Easily view all vaults in the system, along with their types and associated users, and quickly adjust vault types as needed.
Streamlined vault creation: No need to configure permissions from scratch each time.

Vaults of all types support a multi-level, folder-based structure, allowing administrators to create hierarchies with nested elements

Managing vault types

On the Vault settings page, you can manage all vault types, view their list, and configure action access permissions. Access to this section is controlled by individual role permissions, ensuring that only authorized users can modify critical settings.

Creating vault types

You can choose from basic vault types or create your own custom types. To set up a custom vault type, click Create vault type.

The vault type creation window offers the following options:

Name — specify the vault type name.
Administrators — select users who will be automatically added to all vaults of this type with Administrator permissions.
Creator access — define the access level granted to users who create vaults of this type. For example, you can allow employees to create vaults without permitting them to invite other users.
Who can create vaults — determine who is allowed to create vaults of this type: specific users, groups, roles, or all users.

Editing vault types

Users with access to the Vault types tab can modify vault types by renaming them, adding or removing administrators, and updating vault creation permissions. To edit a vault type, select it from the list of all types and adjust the necessary fields.

If a user is added as an administrator to an existing vault type, you must confirm the request to grant them access to the corresponding vaults.

Important: When you remove an administrator from a vault type, they keep their access to all existing vaults of that type. However, you can then remove them from individual vaults or change their permissions.

Deleting vault types

To delete a vault type, select one or more types on the Vault types tab and click Delete in the dropdown menu at the top of the list.

Important: Vault type cannot be deleted if there is at least one existing vault of that type.

Audit and vault type change

On the All vaults tab, you can view all vaults along with their types, user lists, and administrators. Additionally, you can quickly change a vault’s type — for example, when a department is reorganized or a new project is created.

You have the option to filter vaults by type or display only those to which you have access.

Settings

The Settings tab makes it possible to define the minimum required access level for performing specific actions within directories, as well as set the maximum file size for attachments linked to passwords.

Migration from previous versions

When migrating from previous versions, you can assign a vault type to imported vaults in the vault import window, provided you choose the option to import to the root directory.

When upgrading from Passwork 6 to version 7, the system automatically converts existing vaults:

Private vaults remain private and receive the User vaults type. Your permissions and access rights remain unchanged.
Shared vaults also receive the User vaults type. All users and their permissions are preserved.
Organization vaults are converted to company vault type. Administrators are restored and become non-removable, with the access structure preserved.

Frequently asked questions

What's the difference between vault types and regular vaults? Regular vaults are containers for storing passwords. Vault types are rules and templates that define how vaults of a specific type are created and managed.
Is it mandatory to use vault types? No, using custom vault types is not mandatory. You'll always have access to basic types: private vaults for personal passwords and shared vaults for passwords users share independently.

For complex corporate structures and access policies, we recommend creating custom vault types — this ensures the necessary level of control and compliance with security requirements

How do corporate administrators differ from regular ones? Corporate administrators are users who automatically receive administrator rights in all vaults of a specific type. Assigning corporate administrators ensures permanent control over critical data.

Key features: administrators are added to vaults automatically upon creation, they cannot be removed or have their access level downgraded, and changes to the vault type apply to all vaults of that type.

Can I change administrators in an existing type? Yes, you can modify the list of administrators in the vault type settings. When adding a new user, the system automatically creates requests to add the new administrator to all existing vaults of that type.

To remove a user from corporate administrators, delete them from the vault type's administrator list and, if necessary, from all vaults of that type. As long as an administrator is specified in the vault type, they cannot be removed from individual vaults.

How do I restrict who can create vaults of a specific type? When creating or editing a vault type, go to Who can create vaults and choose one of the options: All users — any user can create a vault of this type, or limited access — only selected users, roles, or groups.
Can I change the type of an existing vault? Yes, you can change an existing vault's type, but only if you have administrator rights in that vault. When changing the type, corporate administrators of the new type are automatically added to the vault, new access rules are applied, and user connection requests are created.
Why can't I remove certain administrators from a vault? If you cannot remove administrators from a vault, they are corporate administrators. Corporate administrators can only be removed by changing the corresponding vault type setting (requires administrator rights).

Basic use cases

Prohibit private vaults creation

Task: Prevent employees from creating private vaults.
Solution: In Vault settings, open the User vaults type. In Who can create vaults, remove all users or leave only those who need to retain this right.

Vaults with mandatory administrators

Task: All vaults created by users must include corporate administrators.
Solution: In Vault settings, create one or more new vault types. In the Administrators section, add the required users (corporate administrators) — they will automatically be added to all vaults of this type with rights that cannot be changed or revoked. Prohibit creation of other vault types.

Private vaults creation without user invitation rights

Task: Allow users to create their own vaults but prohibit inviting other users.
Solution: In Vault settings, create a new type with Full access level for the creator—this level prohibits adding other users.

Delegating administrative responsibilities

Task: Configure the system so different departments or projects have their own administrators.
Solution: In Vault settings, create separate types for each department and add corresponding roles.

Limit vault management

Task: Prevent administrators from viewing the list of all vaults, managing vault types, and access level settings.
Solution: In role settings, open the Administrator role. In the Vaults section, disable the necessary permissions — you can restrict access to the section with the list of all vaults or to the entire Vault settings page.

Conclusion: Data control and efficiency

Vault types address a key challenge for growing companies: controlling data access without overwhelming the IT department. Administrators automatically gain access to new vaults of their type, while department heads can manage data independently. Passwork scales with your organization, ensuring data remains secure, processes are automated, and employees can work efficiently.

Ready to take the first step? Try Passwork with a free demo and explore practical ways to protect your business.

Passwork 7.1: Vault types

Releases

Sep 18, 2025 — 1 min read

Version 2.0.27

Further improved clickjacking protection: added blocking of clicks on hidden elements and checking for element overlap and CSS transformations
Fixed an issue when following a link from a notification to a deleted vault or password
Fixed an issue that could cause the extension to log out

Changes in versions 2.0.25 and 2.0.26

In version 2.0.25, pop-up window offering autofill was disabled to test the extension’s resistance to clickjacking attacks. Warnings about suspicious elements on webpages were also added.
In version 2.0.26, autofill pop-ups are available again, and you can now disable them for the entire organization. The extension automatically detects and blocks most common clickjacking methods.

You can disable pop-up autofill suggestions by adjusting the Content scripts setting in the Browser extension section of the system settings (available starting from Passwork 7.1.2).

The browser extension is available for Google Chrome, Microsoft Edge, Mozilla Firefox, and Safari.

Browser extension 2.0.26 release

Releases

Sep 18, 2025 — 1 min read

• Fixed an issue where a user's access level in vaults remained unchanged after the user was added as an administrator for that vault type

You can find all information about Passwork updates in our technical documentation.

Passwork 7.1.3 release

Releases

Sep 12, 2025 — 1 min read

Added an option to disable extension content scripts on the organisation level
Added an option to import passwords without names
Added more details to some of the actions in the activity log
Added a restriction on client-side changes to permissions and settings of your own role
Fixed an incorrect search behavior when adding users into a vault or a folder
Fixed an issue that caused "Action history" and "Editions" tabs not to appear under certain scenarios
Fixed an issue that caused a password attachment download to fail if the hashes did not match

You can find all information about Passwork updates in our technical documentation.

Passwork 7.1.2 release

Releases

Sep 8, 2025 — 2 min read

In the new version, we have introduced the capability to create custom vault types with automatically assigned administrators, refined the inheritance of group-based access rights and handling of TOTP code parameters, as well as made numerous fixes and improvements.

Vault types

In Passwork 7.1, you can create custom vault types with flexible settings tailored to your organization’s needs:

Each vault type allows you to assign dedicated administrators, set restrictions on vault creation and define a creator's access level
When you create a vault or change it's type, select corporate administrators automatically gain access to it. Other administrators won't be able to lower their access level or remove them altogether
Now you can set up different vault types for various departments or projects, assign relevant administrators, and configure permissions for specific tasks

Viewing all system vaults

We've added an ability to view all vaults created within the organization, including the private ones. The list displays only the names of the vaults as well as users and groups that have access to them, while the vault contents are still available strictly to users with direct access. This opens up extensive opportunities for system-wide data storage audits. Access to the vault list is determined by role settings.

Improvements

Improved the logic of inheriting access from multiple groups: now if a user belongs to groups with both "Full access" and "Forbidden" rights to a specific directory, the 'Forbidden' access level will be applied
Added "Access level required to leave vaults" and "Access level required to copy folders and passwords" settings
Added the option to show a custom banner to unauthenticated users: when the "Show to unauthenticated users" option is enabled, the banner will be visible on the sign-in, sign-up, master password and password reset pages
Added processing of digits and period parameters during TOTP code generation
Added clickable links to vaults, folders, passwords, roles, groups, and users in notifications
Added transfer of user session history when migrating from Passwork 6

Bug fixes

Fixed an issue where the 2FA setup page did not appear when logging into Passwork after enabling "Mandatory 2FA" in role settings
Fixed incorrect counting of failed login attempts with active "Limit on failed login attempts within a specified time frame" setting
Fixed an issue where mobile app and browser extension sessions were not reset after disabling "Enable mobile apps" and "Enable browser extensions" in role settings
Fixed an issue where Activity log filtered by a particular vault showed events from folders inside the vault: now, only events at the selected nesting level are displayed
Fixed an issue where a search by color tag did not work for some passwords
Fixed an issue where user data could be updated on LDAP login despite disabled "Allow user modification during LDAP synchronization" setting
Fixed an issue in the export window where unchecking all folders inside a vault also unchecked the vault itself
Fixed incorrect behavior of the "Automatically log out after inactivity" setting
Fixed incorrect display of notes
Fixed incorrect redirect to the password's or shortcut's initial directory after editing these items in Favorites
Fixed an issue where the item deletion date in the Bin was reset during migration from Passwork 6

You can find all information about Passwork updates in our technical documentation.

Ready to take the first step? Try Passwork with a free demo and explore practical ways to protect your business.

Passwork 7.1 release

Webinar

Aug 29, 2025 — 4 min read

Incident response planning — preparedness vs. reality

Introduction
Preparation and real-world testing
Coordination across teams and vendors
Tools and technologies for an effective response
Compliance and continuous improvement
Conclusion

Introduction

As cyber threats continue to evolve, organizations face increasing pressure to respond quickly and effectively to security incidents. But how well do incident response plans hold up when theory meets reality? This was the central theme of the Passwork cybersecurity webinar in August 2025, featuring insights from Prince Ugo Nwume, cybersecurity consultant at Accenture, and CircleMac, host of the Passwork webinar series.

Preparation and real-world testing

Incident response plans must be living documents, not static checklists. While tabletop exercises help teams understand their roles, only real-world simulations expose true gaps in preparedness. Annual testing is the bare minimum, in regulated industries, quarterly or biannual reviews are often required.

"Tabletop exercises are great, but you need more — actual crisis simulations and drills show what works and what doesn't" — Prince Ugo Nwume

Drills and red team challenges frequently reveal overlooked weaknesses. The cybersecurity consultant recalled a load balancer left at a disaster recovery site that unexpectedly became an entry point for attackers. Continuous improvement requires immediate after-action reviews, regular updates to playbooks, and staff training that directly addresses real-world gaps.

Coordination across teams and vendors

Clear communication and decision-making authority are critical. Effective incident response depends on cross-functional cooperation among IT, legal, HR, communications, and business units. A dedicated incident coordinator helps ensure priorities are aligned and decisions are made without delay.

"When an incident happens, every team has its priorities. You need defined lines of communication and authority — otherwise, you risk making the situation worse." — Prince Ugo Nwume

Third-party vendors, including cloud providers, add another layer of risk. Contracts should specify SLAs, audit rights, and clear escalation procedures for incident response.

"Third-party risk is always a challenge — you need to safeguard your business by demanding strong security practices from vendors" — Prince Ugo Nwume

Tools and technologies for an effective response

Technology is at the core of rapid incident response. Password managers help organizations accelerate credential resets, simplify access reviews, and contain breaches more effectively. Best practices include enterprise-wide adoption, regular audits, and immediate credential changes during an incident.

"Password managers make it easier to change credentials, monitor access, and prevent attackers from persisting in your environment" — Prince Ugo Nwume

Cloud-native environments introduce both simplicity and complexity. Shared responsibility requires clear definitions of what belongs to the organization versus the provider. Rapid communication channels and frequent contract reviews are essential for compliance and responsiveness.

Measure success by checking KPIs and benchmarks:

Mean time to detect
Mean time to resolve
False positive rates

Tracking these metrics over time enables organizations to refine their incident response programs and adapt to emerging threats.

Compliance and continuous improvement

Global organizations must align with evolving legal and regulatory requirements through annual reviews, gap assessments, and GRC oversight.

"Compliance is a moving target. You need standardized frameworks and regular gap assessments to keep up." — Prince Ugo Nwume

But technical controls alone are not enough. Responding to major incidents places enormous pressure on people. Prince stressed the importance of caring for teams.

"You need to support your team — reward their effort and build a culture where people want to step up when it matters" — Prince Ugo Nwume

Shift rotations, recognition, and a culture of resilience help ensure teams stay motivated and capable during prolonged crises.

Conclusion

Incident response planning requires ongoing preparation, cross-team collaboration, and continuous improvement. As the cybersecurity consultant highlighted, real adaptability comes from robust controls, practical training, and a culture of vigilance. Tools like Passwork and standardized procedures are essential, but success depends on adaptability and teamwork. Incident response plans must be living documents, not static checklists.

Preparation and practice are key
Cross-functional coordination and clear authority are essential
Password managers are a cornerstone of rapid response
Global compliance requires standardized frameworks
Team resilience and well-being matter

Ready to take the first step? Try Passwork with a free demo and explore practical ways to protect your business.

Incident response planning: Preparedness vs. reality

Company

Browser extension

Google Chrome Mozilla Firefox Microsoft Edge Apple Safari

Mobile application

App Store Google Play

For business

Teams Small business Business and corporates Enterprise On-premise solution Password sharing tool Secret management

Help

User manual Technical documentation Help center

Passwork: Secrets management and automation for DevOps

Notification settings

Notification delivery methods

Zero knowledge mode

PIN code in browser extension

How it works

Security

Improvements

Bug fixes

Other changes

Further reading

Passwork 7.2 release

Table of contents

Introduction

Quick takeaways

SMB cybersecurity: 2025 snapshot

SMBs are prime targets

Financial impact

Top threats in 2025

NIST cybersecurity framework

GOVERN: Establish your cybersecurity foundation

Step 1. Create a cybersecurity policy

Step 2. Conduct a risk assessment

Step 3. Address compliance requirements

Step 4. Consider cyber insurance

IDENTIFY: Know what you need to protect

Step 5. Inventory your hardware and software

Step 6. Classify your data

PROTECT: Implement your core defenses

Step 7. Secure your passwords

Step 8. Enforce Multi-Factor Authentication (MFA)

Step 9. Train your employees

Step 10. Secure your network

Step 11. Protect your endpoints

Step 12. Back up your data

Step 13. Control access to data

DETECT: Monitor for suspicious activity

Step 14. Monitor your systems

Step 15. Implement intrusion detection (For advanced SMBs)

RESPOND: Plan for a security incident

Step 16. Create an Incident Response (IR) plan

RECOVER: Ensure business continuity

Step 17. Develop a Business Continuity Plan (BCP)

Step 18. Test your recovery procedures

Frequently Asked Questions

How much should a small business spend on cybersecurity?

What is the most common cyber attack on small businesses?

Do I need cyber insurance?

What is the NIST Cybersecurity Framework?

How often should we conduct security training?

What should we do if we're hit by ransomware?

How do we know if our current security is adequate?

Conclusion

Further reading

Small business cybersecurity checklist for 2025

Further reading

Passwork 7.1.4 release

Table of contents

Vault types

What are vault types

Basic vault types

Advantages of vault types

Managing vault types

Creating vault types

Editing vault types

Deleting vault types

Audit and vault type change

Settings

Migration from previous versions

Frequently asked questions

Basic use cases

Prohibit private vaults creation

Vaults with mandatory administrators

Private vaults creation without user invitation rights

Delegating administrative responsibilities

Limit vault management

Conclusion: Data control and efficiency

Further reading

Passwork 7.1: Vault types

Version 2.0.27