According to a recent survey from SailPoint Technologies ,the high percentage of password reuse and sharing by employees leaves enterprises vulnerable to breaches.
Employees are significantly increasing the risk of enterprise security breaches with reckless password activity — and the proper password governance to stop it is lacking, according to a recent survey from identity governance company SailPoint Technologies.
Vanson Bourne, a U.K.-based technology research firm, interviewed 1,000 office workers in midsize to large organizations (more than 3,000 employees) about their management of passwords, and found that 56% of employees were reusing the same passwords between personal and corporate accounts while relying on an average of just three different passwords. In addition, the survey said 20% were sharing passwords with team members — allowing information to be easily compromised if no password management policy is enforced.
“As the number of passwords in our lives has proliferated, people have adopted various ways to help themselves,” said Kevin Cunningham, president and founder of SailPoint, based in Austin, Texas. “One of the common ways is to start to use the same passwords across multiple different accounts. If you couple that with the fact that people have a cavalier attitude towards protecting them … therein lays the real risk.”
Furthermore, the study found that 14% of employees would resell their enterprise passwords to a third party — sometimes for as little as $150 — whether as an act of retribution against their employers or simply for monetary gains. According to Cunningham, some employees might believe they could sell a password to a cybercriminal and quickly change it before a breach occurred — without realizing the extent to which this password pervaded their other accounts.
Joe Siegrist, CEO and co-founder of password management firm LastPass in Washington, D.C., found that password reuse was a growing problem — more so than deliberate insider threats. Companies don’t pay attention to their employees’ password usage until it is too late, he said.
“Most companies are just waking up to the realization that just telling people that they can’t reuse passwords isn’t going to really do the trick,” Siegrist said. “People don’t feel they are going to get caught reusing their passwords until the corporate network is getting raided by somebody that is reusing a password that you used on some social network or some other site that got compromised.”
But it’s not only their employees that enterprises need to watch out for.
“Nowadays, with the interactions that happen between businesses, a lot of times businesses have access to applications inside a company as well,” Cunningham said. “It’s employees, it’s business partners, and sometimes it’s even customers.”
Luckily, companies have begun to act on these incentives in recent years, Siegrist said, as enterprises are starting to employ some basic defenses against future attacks and breaches, as well as ways to deal with password leaks.
“Most companies set up the ability to enforce some form of secondary factor on users,” Siegrist said. “That kind of raises the bar — the password alone is not the only thing that gets access to the data.”
Password management is a multistep process that takes a few years for companies to embrace, according to Cunningham. There are certain necessary steps to securing a company and several aspects to that end.
Read the rest of the story here.