Businesses still have a lot of work to do in the areas of password and access security, according to the latest research in this year’s Global Password Security Report. While some organizations are increasing their use of important security measures like multi factor authentication (MFA), overall, employees still have poor password hygiene that weakens overall company security. When 80 percent of breaches are linked to stolen and reused credentials, businesses must take more action to improve password security to reduce risk to their business.
Cloud apps, mobile apps and any number of new technologies have brought many positive changes to the workplace, but they’ve also introduced a plethora of passwords that employees struggle to keep track of. The larger the number of passwords any one employee is tasked with remembering, the more likely they are to practice poor password behaviors. It’s not necessarily due to misinformation or a lack of knowledge and resources, but a lack of training and regulation of password compliance.
According to our data, employees at smaller companies have an average of 85 passwords to keep track of, while employees at large companies have an average of 25 passwords to manage. Larger businesses may be more likely to have Single Sign-On (SS0) solutions in place that enable employees to access more apps with fewer passwords. However, less than 50 percent of all businesses have this kind of technology in place.
In addition, we all know that reusing passwords is bad, but we still do it anyway. With an increasing number of passwords to remember in the workplace, most employees don’t want to have to think of and remember unique, complex passwords. In fact, password sharing and reuse remains a common practice across most businesses. What’s more, many departments or teams may have just one or two licenses for a service that needs to be accessed by several employees or shared with external contractors or organizations. The number gets even higher at the smaller businesses. Employees reuse 10-14 passwords, compared to just four among employees at large organizations. This opens organizations up to increased security risks. Once an attacker has access to one stolen password, it could compromise several other accounts if that password is used in multiple places.
More than half of businesses globally (57 percent) now have employees using MFA, which is up 12 percentage points from last year’s report. With larger IT staffs and resources at their disposal, employees at large organizations have the highest usage at 87 percent. This number drops to 44 percent at organizations with approximately 500-1,000 employees and to 27 percent at even smaller businesses.
Given the competing priorities of IT staff and limited resources at smaller businesses, MFA may not be a priority. That said, 60 percent of small and midsize businesses that are hacked go out of business within six months. So, even if the smallest businesses feel like they can fly under the radar and stay safe without investing in MFA, the data unfortunately shows otherwise. Thankfully, there are a number of affordable, user-friendly options available and every business should be able to find an MFA solution that meets their needs.
Unfortunately, these issues exist in organizations of varying size, regardless of industry and across different platforms. On average, employees in media/advertising manage the most passwords (97), whereas government employees have the least (54). This could be due in part to the number of accounts necessary for media/advertising employees to conduct their day to day work or that a number of apps and tools might not be permitted for employees in the government sector. However, no amount of password reuse is safe, and a few sectors have a lot more work to do. When it comes to MFA, industries with the most sensitive customer data, like insurance and legal, are the least likely to have employees using MFA with 20 percent usage for each compared to the high of 37 percent in the technology and software industries. Many businesses who encourage or require employees to use MFA are likely to be significantly ahead of their peers when it comes to mitigating threats. In cybersecurity, doing the basics well often has the biggest impact on preventing the most common attacks, so expect to see more widespread usage of MFA across sectors in the coming years.
The Path to Stronger Security
While it’s important to invest in an access solution, it’s no longer enough for a business to simply adopt tools in an attempt to improve organizational security. Training and education need to be an ongoing effort to encourage adoption and usage of security tools. Having a focus on changing the status quo and eliminating password-related risks through easy-to-use tools and trainings, organizations will be better prepared to prevent and address any future security risks.