Poor password practices put companies at risk

Companies are at risk of data breaches due to poor password practices, according to the Australian Workplace Security study carried out by security intelligence company LogRhythm.

The Workplace Security study of 1003 employees from mid-large Australian corporations (20+ employees) was conducted by Galaxy Research as on an online permission-based panel during June 2015. A representative sample of Australians aged 18–64 years was drawn in proportion to age, gender and location across Australia and eligibility was determined by work status (full-time or part-time) and number of employees at their place of work (20+ employees).

While virtually all (96%) respondents require a password to use their own work computer, in only 3% of cases are passwords automatically changed and generated by company security. From the survey, it appears control over access is left to the discretion of employees.

And as workplace IT environments become more complex, so does the management of that access:

• One in five employees (19%) is able to gain entry to all work services and documents via a single password
• The average is 3.2 passwords
• A third of workers (37%) use five or more

The majority of respondents (72%) take reasonable care, saying they have changed their password within the last six months, and half (59%) of workers say they change their passwords at least once a year. There is, however, a small but dangerous number (6%) that have never changed their access codes. The longer passwords are kept, the more time cybercriminals have to find and exploit vulnerabilities.

Where different access codes are stipulated by an employer:

• Only 18% of workers take the trouble to set a unique password for each service
• 19% use the same one for everything
• 21% create variations on a core word

Potential danger also comes from one in five workers (22%) keeping their passwords in an unsecured place:

• In a file saved on their computer (8%) or in their desk drawer (6%)
• A note on a smartphone (5%)
• Or even on a sticky note on their desk (4% — which, when extrapolated, converts to 173,000 workers in Australia's enterprises)

Simon Howe, LogRhythm's ANZ sales director, said: “It is clear from the results that employees may unwittingly be placing their organisations at greater risk of data breaches and other incidents. User accounts and passwords are being harvested on the black market to fuel cyber attacks. Businesses need to more actively monitor employee access to devices, applications and systems and to set policies that encourage them to keep security front of mind."

LogRhythm has the following password security advice for businesses:

• Send regular reminders to employees to change passwords and keep them safe. The longer the password — a combination of 4 or more different words — the better.
• Use a secure password manager app to store passwords (currently only 6% of employees do so). A password manager will help create and store complex and dynamic passwords for multiple services.
• Use multifactor authentication whenever possible to protect critical infrastructure such as VPN and email access. However, it's worth knowing that passwords remain workers' preferred security option, at 54%, over combinations of passwords and fingerprints (28%) and fingerprint only (18%).
• Avoid shared accounts. Create separate accounts for each user of an application so that any actions performed are properly attributed to a specific employee. It also limits the risk of inadvertent password exposure.

Image credit: © iStockphoto.com/Vlad Kochelaevskiy