LastPass by LogMeIn today released the results of their 3rd Annual Global Password Security Report, a study that offers insights into employee password behaviors as well as emerging trends around identity and access management at businesses worldwide.
Among the key findings from this year’s report is that while more businesses are investing in security measures like multifactor authentication (MFA), employees still have poor password habits that weaken companies’ overall security posture. Given that stolen and reused credentials are linked to 80 percent of hacking-related breaches, businesses must take more action to improve password and access security to make a big impact on risk reduction.
“Securing employee access has never been more important and unfortunately, we see businesses ignore password security altogether, or only half-heartedly attempt to address it,” said Gerald Beuchelt, Chief Information Security Officer at LogMeIn. “This report further highlights the importance of using the identity and access management tools available to information security managers in addition to maintaining focus on employee training to improve password habits.”
Additional key findings from the report include:
- The Password Struggle is Real, Especially for Employees at Small Businesses
Password sharing and reuse remains a common practice in most businesses, with employees reusing one password an average of 13 times. Our data shows that employees at businesses with fewer than 1,000 employees reuse 10-14 passwords compared to four reused passwords among employees at larger organisations. An overwhelming number of passwords leads to poor password hygiene when there’s no technology in place to help. Our data shows employees at larger companies have an average of 25 passwords to manage compared to 85 passwords for those at small business. Due to greater availability of resources and awareness of regulations, larger businesses may be more likely to have Single Sign-On solutions in place that enable employees to access more apps with fewer passwords. However, less than 50 percent of all businesses have a Single Sign-On (SSO) solution that could make it easier for employees to manage passwords.
- Multifactor Authentication Usage is on the Rise, But Small Business Lags
More than half of businesses globally (57 percent) now have employees using multifactor authentication (MFA), up 12 percentage points from last year’s report. As multifactor authentication options continue to improve in usability and support for a wide range of use cases, we continue to see usage increase. Unsurprisingly, employees at larger organisations have the highest usage – 87 percent – which drops nearly in half (to 44 percent) at organisations with approximately 500-1,000 employees, and less than a third (27 percent) at the smallest businesses. Given the competing priorities of IT staff at smaller businesses, it’s understandable that MFA may not be a priority. However, given the number of affordable, user-friendly options available, every business should be able to find an MFA solution that meets their needs.
- Industry Differences: Media/Advertising are Inundated with Passwords
In terms of industry, media/advertising agency employees have the most passwords to manage (97), whereas government employees have the least (54). It’s no surprise that employees in that media and advertising sector also have the highest rate of password reuse – 22 – compared to just nine in the nonprofit and retail sectors. No amount of password reuse is safe, but some sectors have a lot more work to do. When it comes to MFA, industries with the most sensitive customer data, like insurance and legal, are the least likely to have employees using MFA (20 percent usage for each compared to the high of 37 percent in the technology and software industries).
- Password Manager Adoption via Mobile Increases
For the first time, this report looks at how employees use their password manager via the LastPass app on mobile devices. Globally, 23 percent of employees are accessing password vaults on their smartphone, and that number is likely to grow as mobile platform integrations improve. After the iOS 12 launch, for example, employees used LastPass on their mobile device 50 percent more frequently than prior to the launch. Further, user retention is approximately 30 percent higher on average when mobile usage is incorporated into an employee’s onboarding experience. It’s clear that when it’s convenient for employees to access and use password managers from their smartphone or other device of their choice, they’re more likely to use it.
- Increased international regulation spurs action in EMEA and APAC
As global threats rise, and concerns grow about the privacy of personal information, governments and industries are enacting more regulations, directives and guidelines in order to help protect the digital economy. GDPR may contribute to significant growth in adoption of MFA in countries like Denmark (46 percent), the Netherlands (41 percent), Switzerland (38 percent) and Germany (32 percent). The NDB scheme may contribute to Australia’s multifactor authentication usage growing from 6% to 29% in a 12-month period.
For more information and to read the full report, visit https://www.lastpass.com/state-of-the-password/global-password-security-report-2019.
Commenting on this report, Robert Capps, VP at NuData Security, a Mastercard company, said “Passwords alone, or combined with static security questions, have been an ineffective form of authentication for quite some time. Organizations and consumers should be moving forward to adopt additional security layers using multi-factor authentication (MFA), including biometrics, and strong cryptography.
Although these options are stronger than a simple password or knowledge-based question, the stronger versions of MFA being adopted still only verify possession of a device or cryptographic key, but not that the correct user who is using it. To bridge this gap, passive biometric and behavioral analytics are helping major companies worldwide to verify their customers using a combination of layers and triggering one or the other based on the level of risk. By adopting different verification layers, companies are gaining flexibility on how they verify each user and also on how they treat their customers. Adopting strong MFA techniques is a big step forward for security, but companies still need to keep working to know who are they really dealing with behind the screen.”