James Thew - Fotolia
Eight months after the enforcement of the EU’s General Data Protection Regulation (GDPR), data protection practices in many organisations are still poor, research shows.
More than two-thirds of employees (69%) share passwords with colleagues, according to Yubico’s 2019 State of password and authentication security behaviours report, conducted by the Ponemon Institute and published to coincide with International Privacy/Data Protection Day.
The report – based on a survey of more than 1,760 IT and IT security practitioners in the UK, US, Germany and France – also reveals that 51% of employees reuse an average of five passwords across their business and personal accounts.
The research found that data protection practices continue to be poor, even though 63% of respondents said they are more concerned now about the privacy and security of personal data than two years ago.
According to respondents, two-factor authentication (2FA) is still not widely used, for example, with 55% not using it at work and 67% not using it for personal accounts. This is despite the fact that 44% of respondents have experienced a phishing attack at work and 51% in their personal lives, where bad actors have attempted to steal their account credentials.
The survey shows that people are not learning from experience, with 57% of those who had experienced a phishing attack admitting that they had not changed their password behaviour afterwards.
“For decades, passwords have been the primary method of authentication used to protect data and accounts from unauthorised access. However, this multi-country research illustrates the difficulties associated with proper password hygiene,” said Stina Ehrensvard, CEO and founder of authentication firm Yubico.
“With every new password breach that we see, it’s become increasingly clear that new security approaches are needed to help individuals manage and protect their accounts both personally and professionally,” she said.
In addition to exposing the organisations they work for to risk of cyber attacks, the report said the poor security practices of employees are incurring additional unnecessary costs. On average, respondents report spending an average of 12.6 minutes each week, or 10.9 hours a year, entering or resetting passwords. Based on the average company size of almost 15,000 employees in the research, the report said the estimated cost of productivity per organisation averages $5.2m a year.
The cost of passwords
Yubico is a member of the Fido Alliance, a consortium of tech industry partners that are working together to establish standards for strong authentication and eliminate the world’s dependence on password-based security.
According to Fido, the cost of passwords underlies the need for organisations to switch to an alternative method of authentication that will de-risk the process and cut costs.
“Passwords are a huge risk to businesses. The vast majority of breaches are caused by weak and shared credentials, which opens up a huge attack surface for businesses,” according to Andrew Shikiar, chief marketing officer for Fido.
“Passwords also cause friction, with 50% of shopping cart abandonment due to password issues and a large proportion of costly IT support calls within enterprises related to passwords,” he told Computer Weekly.
Sandor Palfy, chief technology officer of identity and access management at remote access profider LogMeIn, said passwords have always played an integral role in data security, and most companies rely on them as their go-to method for authentication.
“But with the average person having over 200 passwords to memorise, many find it too complicated to remember unique credentials for each platform. One employee motivated by convenience and productivity using the same weak password across business and personal platforms is all it takes for a data hack to occur,” he said.
According to Palfy, business leaders should take Data Protection Day as an opportunity to educate employees on the importance of healthy password practices.
“Using a password manager to generate and remember a random string of characters and numbers is a vital step in strengthening account security. As those on the front line, staff should also be given guidance on responding quickly to data hacks. If a business can build a strong defence mechanism combined with trained staff, it will stand a better chance of remaining secure and cyber ready,” he said.