It has released its findings on password security from the recent Workplace Security Australia report and it demonstrated that Australians in general are pretty lax about passwords, their strength and regularly changing them.
First item of interest is the variety of devices used at work
- 86% of workers in large companies use some sort of technology device for work purposes
- 62% have their own use of a PC or laptop (46% PC, 24% laptop), 71% among full time workers.
- 23% use a shared PC or laptop (19% shared PC, 7% shared laptop), 29% among part time workers.
- 17% use a work provided smartphone.
- 24% use their own smartphone for work purposes.
- 13% have a tablet (31% of managers have a tablet).
- 4% BYOD (Bring Your Own Device)
Half 54% are accessing private emails, and half (52%) are using it for their private internet banking.
- 91% Work emails
- 88% The internet
- 84% Work files and documents
- 75% Work databases
- 58% Work customer/client records
- 54% Private emails
- 52% Private internet banking
- 35% Work online/cloud services
Passwords – credentials – are the key to the IP kingdom. Even passwords from users with low clearance can be used to escalate up devices and gradually get to servers.
Virtually all companies with more than 20 employees require passwords to access user accounts but some do not use passwords on programmes or for accessing sensitive data once a user is logged in.
- 19% are able to gain entry to all work services and documents via a single password
- The average is 3.2 passwords, 37% use five or more passwords
18% say that they frequently or always use the same password for work and personal accounts (30% of Generation Y say this compared to 8% of Baby Boomers)
- 4% Always (Generation Y 6%, Baby Boomers 2%)
- 14% Frequently (Generation Y 24%, Baby Boomers 6%)
- 20% Occasionally
- 12% Once in a while
- 49% Never (45% males, 54% Females) (Generation Y 29%, Baby Boomers 67%)
So complexity, uniqueness and frequency of change of passwords is important:
- 72% say they take reasonable care and change passwords every six months
- 59% say they change annually
- 6% never change
- 18% take the trouble to set a unique password for each service
- 19% use same one for everything
- 21% create variations on a core word
And because Aussies seem to have trouble remembering passwords 22% store them in an insecure ways
- In a file saved on the computer
- One a smartphone
- On a piece of paper in their to draw
- On a sticky note attached to the screen or keyboard (estimated 173,000 Australian workers do this)
In fact, a hacker can almost guarantee to find passwords simply by an office walk through – or as reported by iTWire staff selling their access credentials.
Simon Howe, LogRhythm’s ANZ Sales Director, said: “It is clear from the results that employees are unwittingly be placing their organisations at greater risk of data breaches and other incidents. User accounts and passwords are being harvested on the black market to fuel cyber-attacks. Businesses need to actively monitor employee access to devices, applications and systems. And to set policies that encourage them to keep security front of mind.”
I spoke to Simon at length and we essentially agreed that user education was the key to better password hygiene but there is ample of that being published by news organisations like iTWire. It is almost as if Australian’s “She’ll be right mate” attitude applies.
Simon lamented the lack of tight password policy in many organisations because it will upset the users and increase workload on system administrators. He mentioned there are several good password management tools and administration tools to ensure secure passwords.
We agreed that it was time for two factor authentication – prove who you are then use a password unique to you. Microsoft and Intel have collaborated to produce Windows Hello that uses Intel’s 3D RealSense camera – but widespread adoption is some time away.
I asked about the ‘if, not when’ scenario for hackers to attack business of all sizes. Obviously LogRhythm has a feel for this as it is not an AV/Malware vendor but a way to identify threats fast (mean time to identify the threat) and react appropriately (mean tine to respond).
What he would say is that according to the Rand Corporation cyber-crime is now more profitable than the drug trade and one way to counter this is to have electronic identity protection. “LogRhythm knows more about security and how to manage issues – right out of the box, We know most of the tricks used by cyber criminals,” he said.
It is always a pleasure to speak to Simon precisely because he is not selling Antivirus software and the sky is not constantly falling. You can read more about the company in this iTWire article and at its website .