Empowering CISOs to strengthen password security

Image Credit: Shutterstock (Image credit: Image Credit: Ai825 / Shutterstock)

While the number and severity of cyber-attacks increases year by year, it seems that companies are failing to see the lessons learned by streamlining their security policies. Weak passwords and clumsy habits are far too prevalent and businesses must ramp up their efforts to mitigate this.

Yet more often than not, organisations are unable to grasp the extent to which they are at risk – even those with password managers. Why? They are in the dark about their policies’ effectiveness. They seem oblivious to their employees’ password conventions. They lack comparative data on how businesses of a similar size, industry or location are performing.

To address these issues, we undertook a study of 43,000 organisations, large and small, across different industries that use the LastPass password manager and analysed the password conventions of their employees. The report sheds light on real workplace password habits while also providing CISOs and other IT professionals with the necessary insights to compare how their organisations are performing against similar businesses and how they can strengthen password security.

Organisations are exposed to an abundance of easily avoidable risks as a result of insecure, generic, old and perhaps compromised credentials. When it comes to password security, our data makes clear that the majority of companies (52 out of 100 on average) are middle performers and could certainly do better, underlining the need for more stringent policies and improved education around cybersecurity. Organisations of all sizes, industries and locations are vulnerable as a result of password risk and it is something that every company could and should work on to improve security.

A problem scaling with size

In a survey of 43,000 organisations, we found that the larger the company, the lower its security score on average. Organisations that use LastPass with 25 employees or fewer demonstrated the highest average security score of 50, but that score drops as the company size increases – up to a point. Organisations with more than 500 employees displayed stagnant scores, sharing similar challenges in improving password hygiene regardless of whether they had 1,000 employees or 10,000. These larger organisations make it more challenging for IT to hold all employees to password security standards, increasing opportunities for dangerous password behaviours. 

Still, that doesn’t mean larger organisations are beyond help – some of the top performers overall were large businesses, showing that size is merely a factor that IT professionals should account for when implementing security policies. The larger the organisation, the more difficult it is to address certain challenges, from budgets to bureaucratic red tape. Smaller companies still face similar challenges, just on a smaller scale. Despite having fewer resources, it’s simpler to ensure near-perfect passwords and multifactor authentication for all employees when the employee base is smaller.

Password sharing provides the perfect example for a challenge that increases in scale with larger companies. On average, any given employee shares about six passwords with coworkers. Imagine the impact at a company with 100 employees. Now imagine the same for a company with more than 10,000 employees. Password sharing is frustrating for employees and IT administrators alike, with users resorting to using weak-but-memorable passwords that present potential backdoors into the business. As teams become more distributed and technology-dependent, the ability to protect, track and audit shared passwords is more complicated – and more necessary – than ever.

Image Credit: Shutterstock

Image Credit: Shutterstock (Image credit: Shutterstock)

Cyber-security: an issue which knows no boundaries

Technology and not-for-profit organisations achieved the highest security scores, with retail and insurance trailing behind. Given the need to comply with privacy and data laws and the tech-savviness of this industry, it’s no surprise that technology companies lead the way. Even so, other heavily-regulated industries such as banking, health, insurance and government – all frequently targeted by cybersecurity attackers – demonstrated lower security scores, revealing an opportunity for these industries to commit to more effective password security. 

With a reputation for security and the adoption of standards like the General Data Protection Regulation (GDPR), companies in Germany ranked higher than the global average in terms of security score, closely followed by the Netherlands. The United Kingdom falls behind in sixth place, so even though the country has a number of strong top performers, we have a lot of work to do overall. In particular, the UK leads other European countries in multifactor authentication adoption but still ranks far lower than the United States. Ten percent of companies using multifactor authentication are in the UK, while about 63 percent are based in the U.S.. It’s evident that despite the growing usage of this technology overall, many countries are still slow to adopt this security trend. 

A step in the right direction

Improving overall security is a work in progress, but no matter the size, industry or location, all organisations should take steps toward more efficient password management – and we’re already seeing a positive selection of companies doing something for passwords. 

We found that one year after implementing a password manager, most companies increased their security score by an average of nearly 15 points. For businesses looking into implementing a password manager or trying to measure their own password security for board reporting, this report should serve as a helpful benchmark, offering realistic goals and best practices. 

Password security is definitely a tricky hurdle to overcome. Realistically, how could you measure security if you lack detailed insights into those areas most vulnerable? A password manager does just that, while also making people more productive and helping to improve brand perception and employee satisfaction as companies have the tools to fend off future threats.

Gerald Beuchelt, Chief Information Security Officer at LogMeIn

Gerald Beuchelt

Gerald Beuchelt is the Chief Information Security Officer at LogMeIn. With over 20 years of information security experience, he is responsible for the company’s overall security, compliance, and technical privacy programme.

His specialities are: management, communications, cyber-security, project leader, enterprise architecture, sales, systems engineering, security, information assurance, government, defense, standards development, cloud security, identity management, privacy, intellectual property, leadership, software development, intelligence, M&A, strategy, health IT, data modeling, criticality analysis, risk management, CISSP, ISSAP, CISM, CDPSE, SOC2, SSAE18, PCI-DSS, ISO27001