Despite the increasing concern regarding privacy and protection, individuals and businesses are still falling short.
The recent survey from The Ponemon Institute with authentication key vendor Yubico shows that IT professionals are still falling short when it comes to security practices in the workplace.
The survey interviewed over 1,500 IT professionals and security practitioners to understand their beliefs and behaviours around password management and authentication. The survey asked IT security professionals across the US, UK, Germany and France a variety of questions surrounding passwords and authentication; overall the report paints a concerning image of the state of password security amongst those that should be the most knowledgeable and aware of the risks of poor password practices.
Passwords in use will likely exceed 300 billion by 2020
On the one hand, respondents had increasing concerns over privacy and security of data, citing government surveillance, the growing use of mobiles and the interconnectedness of devices, over half (66%) believe in the importance of protecting passwords in the workplace. On the other hand, the report shows IT professionals continue to perform bad password practices which can easily lead to identity theft, backdoor access, and ultimately hacking of the business.
- Analyst firm Security Ventures state the number of passwords in use will likely exceed 300 billion by 2020, the report shows that IT professionals understand the importance of passwords and the need to keep passwords secure with 66% agreeing they need protecting in the workplace and 63% understanding the importance to protect passwords on their own devices too.
- Despite these beliefs 69% of respondents admit to sharing passwords amongst work colleagues to access accounts and more than half reusing an average five passwords across their accounts.
- Phising scams remain the number one tool in a hackers arsenal, joint research between CyberInt and CheckPoint identified toolkits available on the dark web allowing anyone to run a phishing scam. The survey identifies more than half (51%) have experienced a phishing attack personally, and 44% at work. Despite the scare, 57% chose not to change how they manage their passwords still.
- Spiceworks recently ran a quick poll to assess how many IT professionals use password managers in the workplace, 89% of respondents said they use it both in the workplace and at home, there is no denying the popularity of password managers. Okta recently reported an increase in password managers too, yet 51% of those surveyed prefer using their memory to protect passwords. The report shows a reliance on outdated, unreliable and unsecured methods as the primary form of protection, including sticky notes and spreadsheets.
- According to Verizon Data Breach Investigation Report 2017, 81% of all hacking-related breaches leverage either stolen and/or weak passwords. The survey does suggest respondents are trying to improve password security in the workplace, 43% of respondents change how they manage passwords and 47% are using stronger passwords and change them more frequently (43%). Nearly half have also begun employing multi-factor authentication despite the National Cyber Security Centre reporting slow uptake in multi-factor authentication.
- The net effect of poor password security is financial, the CyberInt and CheckPoint report states SMBs lose billions each year through phishing scams. The survey reports the cost of productivity and labour loss per company averages $5.2 million annually from entering/ resetting passwords, based on the average headcount.
81% of all hacking-related breaches leverage either stolen and/or weak passwords
Self-service password reset tools like LogonBox can help secure passwords across multiple systems
There is a disconnect between what people expect and what is being delivered, education is an essential factor in delivering employers the benefits of highly secure authentication practices. The effort involved can be negligible versus business benefits.
The report identified over half of the respondents experienced phishing scams, but there are basic steps employees can carry out to help falling victim:
- Be cautious of emails from unknown recipients.
- Be wary of emails not addressed to the recipient
- Be concerned if keywords like ‘Banking’ are highlighted
- When hovering over a link check the domain of the URL points to the alleged company that has sent the email
There are basic steps employees can carry out to help reduce chances of getting hacked:
- Do not use your network username as your password
- Don’t use easily guessed passwords or breached passwords
- Do not choose passwords that are personally identifiable
- Do not use words right out of a dictionary
- Organizations can still minimise the risk of attacks increasing the minimum password length and optional complexity
- Utilise other factors to secure passwords such as MFA
Software to complement education can have a positive effect on securing the workforce.
Google Password Checkup can automatically check whether your passwords have been exposed in a data breach. Once installed, the extension checks any login details you use against a database of around four billion usernames and passwords and warns you if it finds a match.
Password Self-Service Reset
Self-service password reset tools like LogonBox can help secure passwords across multiple systems when employees need to change or reset them. Employing multi-factor and multi-step authentication, LogonBox verifies the user identity before allowing any change to occur.
Out of those surveyed 51% struggled to manage passwords relying on insecure methods. Single Sign-on which LogonBox includes, enables users to not only securely manage passwords, but also login to company web applications without needing to use or share credentials.
With support for multi-factor authentication, LogonBox can provide a layer of security between users, passwords and company web apps.
Password managers provide another option to store passwords, using a single master password to access and store all credentials, a lot of password managers can inject credentials into applications securely, eliminating the need for spreadsheets and sticky-notes.
The report shows there is still a gap between IT professionals beliefs and behaviour, individuals and businesses need solutions that can offer both added security and convenience. Education is a crucial piece and needs to be complemented with software, password self-service, single sign-on and identity management can help secure employees and the workplace.
*** This is a Security Bloggers Network syndicated blog from LogonBox Journal authored by Majid Latif. Read the original post at: https://www.logonbox.com/en/journal/state-of-passwords-security-2019-businesses-still-falling-short/