Mismanaged passwords cost firms millions

Mismanaged privileged passwords are costing firms millions of pounds a year.

Mismanaged privileged passwords are costing firms millions of pounds a year.

Research from information management firm Cyber-Ark and analyst firm IDC said privileged passwords - the non-personal, shared and administrative passwords that exist in virtually every device or software application in an enterprise - are unknowingly losing firms large amounts of cash every year,  due to costly outages, labour-intensive work, legal liability and audit deficiencies related to mismanaged passwords.

To simply maintain and update privileged passwords, the report estimated the typical large enterprise spends more than $500,000 (£263,000) each year.

The problems and losses are summarised in a white paper by IDC, sponsored by Cyber-Ark, titled Privileged Password Management: Combating the Insider Threat and Meeting Compliance Regulations for the Enterprise.

The report said privileged passwords, if unchecked, can be “an unmitigated security threat for an organisation”.

The report also found that the manual updating of privileged passwords can cost over $500,000 for US Fortune 2000 companies.

There is also a general lack of strict policies for creating and varying privileged passwords, which could aid in the prevention of costly security breaches, said the report.

Also, many passwords are generic in nature and lack the personalisation necessary for tracking and auditing purposes. And most organisations today use the same password for many systems and devices, creating a common security hole that can be exploited by external hackers.

IDC estimates that it takes around $30 (£15.80) in man hours to change the Sys-admin password on a single Microsoft Exchange Server.

“Our research shows that managing privileged passwords is a security conundrum,” said IDC analyst Sally Hudson. “IDC believes that the risk can be significantly mitigated by implementing policies which demand special treatment for privileged passwords,” she said.

“These include the ability to disable an employee's system access promptly upon employee termination; enforcing a company-wide password change on a regular basis; and implementing reliable auditing and reporting systems,” she said.

A copy of the report can be accessed at:


Password management improves compliance

Comment on this article: [email protected]

Read more on IT risk management