Despite the well-publicised growth in cyber-attacks every year, both in number and complexity, businesses are still struggling to implement effective security policies. It’s no secret that weak passwords are a leading security threat and bad password habits are far too common.
Yet businesses are struggling to quantify their own level of password risk, even those that use password managers. Why? They lack proof of their policies’ effectiveness. They’re missing visibility into their employees’ behaviours. And they can’t verify how they compare to others of similar size, industry or location, including competitors.
That is why we undertook an effort to analyse the password habits of employees at 43,000 organisations of all sizes and across industries that use the LastPass password manager. Not only does the report reveal real password behaviours in the workplace, but it offers the first true benchmark that CISOs and other IT professionals can use to see how they rank compared to other similar businesses and how to improve their password security.
Weak, reused, old and potentially compromised credentials open organisations up to innumerable risks that could be easily avoided. Our data shows that most businesses are performing middle of the road (an average of 52 out of 100) for password security, demonstrating the need for more effective policies and training to improve overall security.
Password risk affects companies regardless of size, industry and location – but it’s something all organisations can work on for a more secure workplace.
The larger the company, the larger the risk
In a survey of 43,000 organisations, we found that the larger the company, the lower its security score on average. Organisations that use LastPass with 25 employees or fewer demonstrated the highest average security score, but that score drops as the company size increases – up to a point. Organisations with more than 500 employees displayed stagnant scores, sharing similar challenges in improving password hygiene regardless of whether they had 1,000 employees or 10,000. These larger organisations make it more challenging for IT to hold all employees to password security standards, increasing opportunities for dangerous password behaviours.
Still, that doesn’t mean larger organisations are beyond help – some of the top performers overall were large businesses, showing that size is merely a factor that IT professionals should account for when implementing security policies. The larger the organisation, the more difficult it is to address certain challenges, from budgets to bureaucratic red tape. Smaller companies still face similar challenges, just on a smaller scale. Despite having fewer resources, it’s simpler to ensure near-perfect passwords and multifactor authentication for all employees when the employee base is smaller.
Password sharing provides the perfect example for a challenge that increases in scale with larger companies. On average, any given employee shares about six passwords with coworkers. Imagine the impact at a company with 100 employees. Now imagine the same for a company with more than 10,000 employees. Password sharing is frustrating for employees and IT administrators alike, with users resorting to using weak-but-memorable passwords that present potential backdoors into the business. As teams become more distributed and technology-dependent, the ability to protect, track and audit shared passwords is more complicated – and more necessary – than ever.
Security challenges span across industries and the globe
Technology and not-for-profit organisations achieved the highest security scores, with retail and insurance trailing behind. Given the need to comply with privacy and data laws and the tech-savviness of this industry, it’s no surprise that technology companies lead the way. Even so, other heavily-regulated industries such as banking, health, insurance and government – all frequently targeted by cybersecurity attackers – demonstrated lower security scores, revealing an opportunity for these industries to commit to more effective password security.
With a reputation for security and the adoption of standards like the General Data Protection Regulation (GDPR), companies in Germany ranked higher than the global average in terms of security score, closely followed by the Netherlands. The United States falls behind, so even though the country has a number of strong top performers, we have a lot of work to do overall. Where the U.S. shines, however, is in the adoption of multifactor authentication. Out of all the companies that enable multifactor authentication, about 65 percent are U.S. based. In comparison, Germany accounts for less than three percent of companies with multifactor authentication enabled. That said, despite the growing usage of multifactor authentication overall, many countries are still slow to adopt this security trend.
Improving overall security is a work in progress, but no matter the size, industry or location, all organisations can take steps toward more efficient password management – and we’re already seeing a positive selection of companies doing something for passwords. We found that one year after implementing a password manager, most companies increased their security score by an average of nearly 15 points. For businesses looking into implementing a password manager or trying to measure their own password security for board reporting, this report should serve as a helpful benchmark, offering realistic goals and best practices.
As more and more companies implement BYOD policies, opening up networks to unsanctioned devices and apps, CISOs and other IT leaders need to change the way they think about password security. Visibility is key: You can’t measure security unless you have a system that provides insights into potential areas of risk. Implementing a password manager won’t just improve security, but increase productivity, brand perception and employee satisfaction as organisations are better equipped to safely navigate future challenges.
Chief Information Security Officer
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.