A Kaspersky Lab survey finds that 75 percent of respondents report that the number of passwords they have to manage causes them stress, which may explain why there are 23.2 million accounts using “123456” as a password and three million accounts using “password” as a password.
In addition, 68 percent report they are stressed about data breaches—even though nearly a third of them admit they use the same passwords for either all or most of their online accounts.
The threat of poor password protection is ongoing. In a recent attack, hackers had access to Citrix networks for six months before they were discovered, a result of password spraying—attackers gained access through a brute-force attack using commonly used passwords that weren’t protected by a two-factor authentication.
Since today is World Password Day, it may be a good time for organizations to think about password security (or the lack of it) and how they will protect and recover data if there is a breach.
Here are some steps your organization can take to increase password security and protect data:
- Stop password sharing. A SurveyMonkey report finds that one third of the more than 1,500 adults surveyed share passwords or accounts with coworkers, mostly as a way to collaborate. Such practices leave organizations open to data being stolen or altered—or provide access to employees who have left the organization. Some solutions include linking passwords to a worker’s email account, enabling a multi-factor authentication when possible, and encouraging long passwords over complex ones.
- Implement password management. LogMeIn finds in a survey of 43,000 organizations that the larger the organization, the lower its security score on average. The reason: It’s more difficult for larger companies to hold employees to password security standards, which can open the door to dangerous password behaviors. LogMeIn finds that one year after implementing a password manager, most companies boosted their security score by an average of nearly 15 points.
- Be proactive. Andrew Avanessian, author of “The Endpoint Security Paradox,” says that he recommends “spending less time trying to close the door after the horse has bolted” and instead creating a multi-layered approach to security. For example, he recommends that organizations incorporate solutions like patching, application whitelisting, and privilege management, “which will help limit the pathways for malware to obtain sensitive data.”
- Scrutinize backups. Storing data in multiple locations can risk exposure, but it also helps to ensure your data is preserved even if there is a significant data loss, advises John Grimm of nCipher Security. Encryption, identity management and access control are important steps for backups as it helps organizations always think about how data is exposed and what can be done to reduce the threat, he says.
- Test, test, test. Any backup plan needs to be tested routinely and fully documented so that each employee understands his or her role in the event of a cyberattack. Also consider if the test backup is meeting the organization’s objectives. For example, a test backup for a bank needs to ensure data can be recovered for compliance, audit, and legal while healthcare companies need to focus on security, retention, and legal requirements.
Passwords are an ongoing area of concern not only for security reasons, but also because of the stress they cause users. Organizations that proactively help employees manage their passwords will help decrease worker angst as well as ensure passwords don’t provide an open door to cybercriminals.