Password control left to discretion of employees - 173,000 workers leave their password on a sticky note
SYDNEY—3 September 2015—LogRhythm, the world’s fastest growing security intelligence company, today announced the results of its Australian Workplace Security study which brings to light how the security of Australia’s larger companies is at risk due to poor control over access and their employees’ use of passwords.
While virtually all (96 percent) respondents - workers in companies with more than 20 employees - require a password to use their own work computer, in only 3 percent of cases are passwords automatically changed and generated by company security. From the survey, it appears control over access is left to the discretion of employees.
And as workplace IT environments become more complex, so does the management of that access:
- One in five employees (19 percent) is able to gain entry to all work services and documents via a single password
- The average is 3.2 passwords
- A third of workers (37 percent) use five or more
The majority of respondents (72 percent) take reasonable care, saying they have changed their password within the last six months, and half (59 percent) of workers say they change their passwords at least once a year. There is, however, a small but dangerous number (6 percent) that have never changed their access codes. The longer passwords are kept, the more time cyber criminals have to find and exploit vulnerabilities.
Where different access codes are stipulated by an employer:
- Only 18 percent of workers take the trouble to set a unique password for each service
- 19 percent using the same one for everything
- 21 percent create variations on a core word
Potential danger also comes from one in five workers (22 percent) keeping their passwords in an unsecure place:
- In a file saved on their computer (8 percent) or in their desk drawer (6 percent)
- A note on a smartphone (5 percent)
- Or even on a sticky note on their desk (4 percent - which, when extrapolated, converts to 173,000 workers in Australia’s enterprises)
Simon Howe, LogRhythm’s ANZ Sales Director, said: “It is clear from the results that employees may unwittingly be placing their organisations at greater risk of data breaches and other incidents. User accounts and passwords are being harvested on the black market to fuel cyber attacks. Businesses need to more actively monitor employee access to devices, applications and systems. And to set policies that encourage them to keep security front of mind.”
LogRhythm has the following password security advice for businesses:
- Send regular reminders to employees to change passwords and keep them safe. The longer the password - a combination of 4 or more different words - the better.
- Use a secure password manager app to store passwords (currently only 6 percent of employees do so). A password manager will help create and store complex and dynamic passwords for multiple services.
- Use multifactor authentication whenever possible to protect critical infrastructure such as VPN and email access. However, it’s worth knowing that passwords remain workers’ preferred security option at 54 percent, over combinations of passwords and fingerprints (28 percent) and fingerprint only (18 percent).
- Avoid shared accounts. Create separate accounts for each user of an application so that any actions performed are properly attributed to a specific employee. It also limits the risk of inadvertent password exposure.
With these survey findings, LogRhythm also offers Password Hygiene recommendations for employees to better protect their own personal data and their organisation’s network.
About the Study
The Workplace Security study of 1003 employees from mid-large Australian corporations (20+ employees) was conducted by Galaxy Research as on an online permission-based panel during June 2015.
A representative sample of Australians aged 18-64 years was drawn in proportion to age, gender and location across Australia and eligibility was determined by work status (full-time or part-time) and number of employees at their place of work (20+ employees).
The survey was also conducted in Hong Kong and Singapore.
LogRhythm is a world leader in NextGen SIEM, empowering organizations on six continents to successfully reduce risk by rapidly detecting, responding to, and neutralizing damaging cyberthreats. The LogRhythm NextGen SIEM Platform combines user and entity behavior analytics (UEBA); network detection and response (NDR); and security orchestration, automation, and response (SOAR) in a single end-to-end solution. LogRhythm’s Threat Lifecycle Management (TLM) framework serves as the foundation for the AI-enabled security operations center (SOC), helping customers measurably secure their cloud, physical, and virtual infrastructures for both IT and OT environments. Built for security professionals by security professionals, the LogRhythm NextGen SIEM Platform has won many accolades. For more information, visit logrhythm.com.