Organisations are improving their password security, but not enough
Information Security / Organisations are improving their password security, but not enough
2 October 2018
Even though many organisations have improved their password security credentials over the past year and the adoption of multi-factor authentication has almost doubled in the period, a lot of work still needs to be done in these fields as the average password strength score is only 52 out of 100, a report from LastPass by LogMeIn has revealed.
The firm’s annual 2018 Global Password Security Report features anonymised data collected and analysed from over 43,000 companies of all sizes from across the world and reveals how businesses across the world have changed their password management practices for better or for worse.
It is now common knowledge that the use of easily-guessable passwords or simple ones gives hackers a splendid opportunity to infiltrate organisations’ IT networks, steal data, or to plant malware. Ongoing campaigns by governments, privacy-conscious groups and security firms have demonstrated how employees at small to major organisations do not take password security seriously and have suffered data breaches as a result.
Password security remains a major work-on for firms
Thanks to such efforts, organisations are now treating password security as essential for the security of their IT networks and have displayed improved password management credentials. However, with the average password strength score being only 52 out of 100, organisations will need to do a lot more work to convince their employees to keep strong passwords at all times.
According to the Global Password Security Report, the highest average security scores are in the Technology industry (53) which is not surprising as technology firms have to abide by strict privacy and data laws introduced by their respective countries. However, other sectors such as banking (49), health (49), insurance (47), retail (48), and government-run firms (49) have not displayed strong password security credentials when compared to the technology sector.
“Security professionals often fail to consider the value of the first factor of enterprise authentication— the password. Despite the sophisticated security measures enterprises are putting in place, something as fundamentally simple as a password is tripping them up,” said Frank Dickson, Research Vice President, Security Products at IDC.
“Passwords continue to be a challenge to cybersecurity in the workplace, and attacks continue to grow in number and complexity every year. Despite these threats, businesses have struggled to quantify their own level of password risk,” said Gerald Beuchelt, Chief Information Security Officer at LogMeIn.
Adoption of multi-factor authentication
The report adds that even though the average password strength is nowhere near adequate, the adoption of multi-factor authentication has almost doubled over the past year- from 24.5 percent to 45 percent this year. Since multi-factor authentication reduces the chances of an organisation’s IT network being breached by hackers and introduces complexity, it is often described by security experts as among the strongest defence mechanisms against cyber threats.
However, the adoption of multi-factor authentication is much more common in the technology sector compared to other sectors. While 31 percent firms in the tech sector have adopted multi-factor authentication, only 16 percent of banks, 3 percent of health, 3 percent of insurance, 13 percent of retail, and 2 percent of all government firms have adopted the technology.
Such lack of adoption of multi-factor authentication can cost many organisations dear as cracking single-step passwords is now considered child’s play. In June for instance, Timehop, a social networking app suffered a stunning data breach that compromised names, email addresses, and phone numbers of up to 21 million users. The breach occurred after a hacker managed to compromise an access credential to Timehop’s cloud server which was not protected by multifactor authentication.
Even though organisations have displayed improvements in their password management practices to an extent, it isn’t as black-and-white as it may seem as senior management staff often struggle with controlling employees’ access to cloud-based applications and many of them lack the control and visibility required to improve password behaviour among employees.
A survey carried out by LastPass and Ovum last year revealed that a majority of IT executives had no technology in place to control password sharing and only 14% of those surveyed said that they had automated control facilities to detect password sharing among employees.
At the same time, a majority of IT executives said that they were implementing technology based on policies and not the user, and this affected the user’s ability to maintain password hygiene, thereby placing companies at risk.