2015 was a bad year for passwords. So much data theft has occurred this year that new breaches rarely make headlines unless the number of people affected reaches into the multi-millions. And many of these breaches have been traced back to compromised credentials from employees and contractors. It's easy to blame passwords as the ultimate evil of modern identity and access management, but it's not necessarily the password that's to blame--it's the people using them.
In order to better understand the behaviors and the impact of the risk that the workforce presents to the enterprise, we recently surveyed more than 1,000 employees at large organizations and discovered some rather interesting statistics--not only about users and passwords, but also around device usage and other security best practices. For example:
35 percent said that their work or personal data had been stolen and exposed online
78 percent believe that it's risky to share passwords with family members, but 37 percent are likely to do so anyway
54 percent admit to sharing their computer or smartphone passwords with family members
50 percent are likely to reuse passwords for work-related accounts, and 62 percent are likely to reuse passwords for personal accounts
30 percent admit to reusing their passwords between personal and work
On the bright side, 57 percent of respondents had changed their personal passwords in the last three months. It's not clear whether this was due to password resets (i.e., users choosing to not remember passwords and relying on password-recovery mechanisms that force unique passwords). But this is a strong indication that education is actually making a difference, even in users' personal lives.
Some other security best practices that users follow:
66 percent use unique and difficult-to-guess passwords
28 percent use multi-factor or two-factor authentication
25 percent use fingerprint authentication
18 percent browse online in private mode only
17 percent use a password manager
These figures show that a growing number of people are concerned about security and are improving their general security practices. However, they continue to be lax with their password security. Having a strong password and using two-factor authentication (where it's available) certainly helps protect sensitive data, but reusing a password from less-secure personal sites and applications for business purposes defeats the point.
One of the most interesting statistics from the survey concerns the responsibility that users take for their own insecure practices. When asked who is ultimately accountable for a corporate data breach, 59 percent pointed at the IT department, 17 percent blamed the CEO or CSO and only 11 percent believed that they would be responsible for the breach.
Also interesting (and contrary to other studies), 11.6 percent of millennials (employees under age 35) indicated that they would be ultimately accountable for a data breach, versus only 9.7 percent of employees ages 35-45. However, as expected, millennials are more likely to use personal devices for work use, but only slightly so (78 versus 75 percent).
Regardless, it's clear that IT and CISOs have their work cut out for them. The good news is that organizations are doing the right things--82 percent say their company has good or excellent password and authorization measures in place. But it's still IT and the C-level execs that are on the hook to ensure that a compromised credential doesn't lead to a catastrophic data breach.
If not them, who?
The answers to these problems aren't simple, obviously. The frequency and impact of data breaches worldwide continue to increase. Even though billions of dollars are being spent to protect against the threat, the value of personal and corporate data draws a very motivated kind of attacker who has multiple methods and tactics--some of which enterprises can mitigate against and others that are mostly out of their control. Password security is something that falls into the latter category, which means that organizations must start to employ techniques that "assume breach." That is, for companies to effectively safeguard their data, they must assume that privileged, compromised credentials are constantly in the wild.
By admitting that the legacy perimeter of passwords has already fallen, we can move on to real authentication based on continuous, contextual user data to ensure that the right people have access to the right things at the right time. Mobile multi-factor authentication plays a huge role in this new Identity Defined Security paradigm, as do biometrics and advanced capabilities like geofencing, but real-time analytics and passive authentication also need to be incorporated into modern identity and access management if enterprises are ever to get over the current password predicament.