Joe SiegristCEO and co-founder of LastPass
Employees are significantly increasing the risk of enterprise security breaches with reckless password activity...
-- and the proper password governance to stop it is lacking, according to a recent survey from identity governance company SailPoint Technologies.
Vanson Bourne, a U.K.-based technology research firm, interviewed 1,000 office workers in midsize to large organizations (more than 3,000 employees) about their management of passwords, and found that 56% of employees were reusing the same passwords between personal and corporate accounts while relying on an average of just three different passwords. In addition, the survey said 20% were sharing passwords with team members -- allowing information to be easily compromised if no password management policy is enforced.
"As the number of passwords in our lives has proliferated, people have adopted various ways to help themselves," said Kevin Cunningham, president and founder of SailPoint, based in Austin, Texas. "One of the common ways is to start to use the same passwords across multiple different accounts. If you couple that with the fact that people have a cavalier attitude towards protecting them … therein lays the real risk."
Furthermore, the study found that 14% of employees would resell their enterprise passwords to a third party -- sometimes for as little as $150 -- whether as an act of retribution against their employers or simply for monetary gains. According to Cunningham, some employees might believe they could sell a password to a cybercriminal and quickly change it before a breach occurred -- without realizing the extent to which this password pervaded their other accounts.
Joe Siegrist, CEO and co-founder of password management firm LastPass in Washington, D.C., found that password reuse was a growing problem -- more so than deliberate insider threats. Companies don't pay attention to their employees' password usage until it is too late, he said.
"Most companies are just waking up to the realization that just telling people that they can't reuse passwords isn't going to really do the trick," Siegrist said. "People don't feel they are going to get caught reusing their passwords until the corporate network is getting raided by somebody that is reusing a password that you used on some social network or some other site that got compromised."
But it's not only their employees that enterprises need to watch out for.
"Nowadays, with the interactions that happen between businesses, a lot of times businesses have access to applications inside a company as well," Cunningham said. "It's employees, it's business partners, and sometimes it's even customers."
Luckily, companies have begun to act on these incentives in recent years, Siegrist said, as enterprises are starting to employ some basic defenses against future attacks and breaches, as well as ways to deal with password leaks.
"Most companies do set up the ability to enforce some form of secondary factor on users," Siegrist said. "That kind of raises the bar -- the password alone is not the only thing that gets access to the data."
Password management is a multistep process that takes a few years for companies to embrace, according to Cunningham. There are certain necessary steps to securing a company and several aspects to that end.
"It's a matter of education for the employees -- to educate them on the hazards and risks," Cunningham said. "There's a policy aspect of it: If you're accessing our financial application, 'thou shalt not use that password for anything else in your life.' And then there are tools you can use to help automate that process for the employees, such as a Password Bolt. Maybe they don't know what the password is, but they can log into the Password Bolt and the passwords are generated for them."
SailPoint's survey also showed that 20% of respondents said they have already been affected by high-profile data breaches. Cunningham said he expects that number to grow moving forward. With more and more breaches in recent years, he said it's time for companies to step up their password management and enact basic security policies or risk suffering a preventable breach.
"Nobody wants to be the next headline about being breached and having lost customer information or intellectual property or financial information," Cunningham said. "But also governments around the world have stepped in and are mandating that companies do a better job of this. … There's nothing that gets attention faster than an audit fail."
Find out how weak mobile authentication practices are leading to big e-commerce fraud losses for enterprises
Need help creating strong passwords that are easy to remember?