Published on the 25/02/2020 | Written by Heather Wright
IT security pros aren’t always following their own recommendations…
Knowing and doing are two very different things – and that’s something highlighted in a new report which shows IT security professionals aren’t always following their own recommendations.
In fact, the Ponemon Institute 2020 State of Password and Authentication Security Behaviours Report, commissioned by authentication vendor Yubico, shows cybersecurity professionals aren’t that much better at adhering to strong authentication and password management than the average user.
“55 percent would prefer a method of protecting accounts that doesn’t involve passwords.”
The report surveyed 2,507 IT security practitioners (including 336 in Australia) and 563 individuals, globally, and found cybersecurity professionals and the individual users whose IT they manage are all engaging in risky practices, including reusing and sharing passwords in the workplace.
Indeed, individuals reported better security practices in some cases than the IT professionals. Out of the 35 percent of individuals who reported they’d been the victim of an account takeover, 76 percent had changed how they managed their passwords or protected accounts. Of the 20 percent of IT security professionals who had been a victim of an account takeover, just 65 percent had made changes.
When it comes to reusing passwords, both parties have reused passwords on an average of 10 of their personal accounts, but just 39 percent of individual users reused passwords across workplace accounts. And the IT professionals? A whopping 50 percent coughed up to reusing passwords across the workplace accounts.
But the report also highlights some of the reasoning behind that, showing individuals have an average of 22 workplace accounts (and reuse passwords on an average of 16 of those accounts) while IT security respondents had an average of 16 accounts and reused passwords on an average of 12 of those accounts.
“IT professional or not, people do not want to be burdened with security – it has to be usable, simple, and work instantly,” says Stina Ehrensvärd, Yubico CEO and co-founder.
Clearly, that’s not the case, with the report suggesting poor usability and inconvenience are hampering uptake of good security practices and a misalignment between expectation and reality when it comes to the implementation of usable and desirable security.
Sharing of passwords was also common, with 51 percent of individuals and 49 percent of IT professionals ‘fessing up to ‘sometimes or frequently’ sharing passwords with colleagues.
Two-factor authentication too, isn’t winning fans with 55 percent of IT professionals and 65 percent of individual users saying thy didn’t use any two-factor or multifactor authentication methods when logging into work apps on their mobile devices. (When they did, mobile authentication apps an d SMS code to phone were the favoured methods for IT professionals.) Australia and Sweden ranked lowest of the six countries when it came to using 2FA to gain access to business accounts, at just 43 percent.
The apparently lax attitude to security comes despite 51 percent of IT security respondents saying their company had experienced a phishing attack, with 12 percent saying they had experienced credential theft and eight percent saying a man-in-the-middle attack.
It comes too, as both groups report increasing concern about privacy and security of personal data. Thirty-seven percent of IT security respondents said they were ‘highly alarmed’ – something felt by 25 percent of individual respondents.
“Across the board, passwords are cumbersome, mobile use introduces a new set of security challenges and the security tools that organisations have put in place are not being widely adopted by employees or customers,” Yubico says.
“In fact, 49 percent of individuals say that they would like to improve the security of their accounts and have already added extra layers of protection beyond a username and password. However, 56 percent of individuals will only adopt new technologies that are easy to use and significantly improve account security.”
So what’s preferred? According to the report, biometrics, security keys, and password-free login. A majority of IT security respondents and individuals (55 percent) would prefer a method of protecting accounts that doesn’t involve passwords. Both IT security (65 percent) and individual users (53 percent) believe the use of biometrics would increase the security of their organisation or accounts. And 56 percent of individuals and 52 percent of IT security professionals believe a hardware token would offer better security.
“For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap,” says Ehrensvärd. “With the availability of passwordless login and security keys, it’s time for businesses to step up their security options. Organisations can do far better than passwords; in fact, users are demanding it.”