In a surprising twist, new data sheds light on the lack of proper security around passwords and authentication by IT at a time when cyberattacks are all but an absolute given.
Passwords sit firmly at the center of nearly every security model and cyberattack. Whether being used to grant appropriate access for an employee or lateral movement for the cybercriminal, authentication via passwords is a necessary step. So, it’s important for organizations - IT in particular - to use proper password hygiene and best practices to ensure the security of their accounts.
But according to Ponemon’s latest research, the 2020 State of Password and Authentication Security Behaviors Report, IT pros have a bit of password security to work on:
- Two-thirds of IT organizations use older best practices such as requiring periodic password changes (67%), a recommendation Microsoft has officially killed.
- Only 50% of IT pros use multi-factor authentication and a little more than a third (36%) require the use of a password manager for elevated credentials.
- 20% don’t take any steps to secure passwords
This all comes at a time when organizations are experiencing cyberattacks like never before, including a 41% increase in ransomware attacks, data breaches starting with a phishing attack, and business email compromise responsible for a total of $26 billion in losses.
Credentials are the lifeblood of nearly every type of cyberattack including ransomware, remote desktop attacks, business email compromise, island hopping, data breaches, and insider threats. Organizations need to shore up their policies to ensure passwords are secure by utilizing proper length and complexity, the use of multi-factor authentication, and utilizing other authentication methods (such as biometrics).
Users need to be educated on not just what the organization’s password policy is, but why. Security Awareness Training helps to educate users on their role as part of the organization’s security – from good password hygiene to vigilance when interacting with email and the web, users can elevate an organization’s security posture. All it takes is a little ongoing training.