Getty Images
IT Security Leaders Engage in Risky Security, Password Habits
A recent report from Yubico shows IT security leaders are routinely engaging in risky authentication practices, with 35 percent failing to change password management after a cyberattack.
IT security practitioners routinely engage in risky password and authentication practices. And there’s a misalignment between expectations and reality when it comes to the implementation of usable security tools, according to a recent report from Yubico and conducted by the Ponemon Institute.
Researchers surveyed 2,507 global IT and IT security leaders, as well as 563 individual users. They found that while most IT leaders have strong awareness of best practice authentication and password management, those tools and skills are often not put into action due to inconvenience or usability issues.
In fact, individual users were found to have better security practices than the IT leaders. The report found that of the 35 percent of users who reported experiencing an account takeover, 76 percent changed how they managed their account passwords or protected their accounts.
On the other hand, of the 20 percent of IT leaders who experienced an account takeover, just 65 changed how they managed passwords or protected their accounts.
Even worse, 50 percent of IT professionals said they reuse passwords across workplace accounts, compared with just 39 percent of individuals. Both reused passwords on an average of 10 personal accounts.
Further, 51 percent said their organizations experienced a phishing attack, while another 12 percent said their organization faced credential theft or a man-in-the-middle attack (8 percent). Despite falling victim, just 53 percent of IT security respondents said their organizations changed how passwords or corporate accounts were managed.
Those leaders also said they reuse passwords across 12 workplace accounts, on average. In fact, 49 percent of IT security leaders said they share passwords with colleagues to access business accounts, with 59 percent reporting that their organization relies on human memory to manage passwords. Another 42 percent said they use sticky notes.
Just 31 percent of IT security leaders said there organizations uses a password manager, which researchers noted are “effective tools to securely create, manage, and store passwords.”
But the report found that awareness among IT security respondents was high, and the largest concern was protecting client information and personally identifiable information.
The issue lies in inaction.
For example, 59 percent of IT security respondents said their customer accounts have experienced an account takeover. But 25 percent of those respondents said their organization has no plans to adopt two-factor authentication (2FA). Sixty percent of these said their organizations believe usernames and passwords provide sufficient security.
It’s important to note that Microsoft found multi-factor authentication to stop 99.9 percent of all automated cyberattacks.
What’s more, 47 percent said their organizations won’t implement 2FA as “it will affect convenience by adding an extra step during login.” Researchers also explained that the 2FA options currently in-use or planned by organizations often don’t provide adequate protection for users.
The three main 2FA methods currently in-use or planned to support for user-facing apps are SMS codes (41 percent), backup codes (40 percent), or mobile authentication apps (37 percent).
For contrast, 55 percent of IT security leaders sand individuals both said they’d prefer a method to protect accounts that doesn’t involve passwords, with 65 percent of IT leaders saying biometrics would increase their organization’s security or accounts.
“IT professional or not, people do not want to be burdened with security — it has to be usable, simple, and work instantly,” Stina Ehrensvärd, Yubico CEO, said in a statement. “For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap.”
“With the availability of passwordless login and security keys, it’s time for businesses to step up their security options,” she added. “Organizations can do far better than passwords; in fact, users are demanding it.”
The report should raise alarm for the healthcare sector, given several reports that demonstrate hackers continually target credentials in their attacks. Credential compromise was the top goal of phishing attacks in 2018, and credential theft attempts are consistently named as one of the leading attack methods for phishing.
A 2018 report also showed user authentication is the largest cyber risk for hospitals and health systems.