Weak passwords put UK firms at risk of losing millions
A new study by OneLogin, the identity management provider bringing speed and integrity to the modern enterprise, reveals that 85 per cent of IT decision makers feel they have adequate password protection measures in place. But in reality, most IT decision makers are failing to enforce even the most basic password requirements, putting their businesses at significant risk of data breach. In fact, less than a third (31 per cent) require employees to rotate passwords monthly, and a further half (52 per cent) admitted to only requesting password rotation once every three months.
The study, which surveyed more than 600 UK-based IT decision-makers with influence over their business’s IT security, highlighted that although many businesses require passwords to be a minimum length, a mix of upper and lower case, and to use numbers, the majority are failing to enforce any further password complexity requirements on employees. Only 37 per cent of those surveyed ask employees to check their passwords against common password lists and 39 per cent don’t even require employees to use special characters.
When it comes to authenticating users for internal and external corporate applications, the results are just as concerning. With less than a third (30 per cent) implementing multi-factor authentication (MFA) as a mandatory authentication requirement for internal applications, and 26 per cent for external applications, organisations are simply relying too heavily on weak password requirements, leaving organisations and valuable corporate data easily accessible to cybercriminals looking for the easiest way into the corporate network.
These security shortcomings can lead to significant costs, since the average cost for a UK company to remediate a data breach is £2.5 million, according to IBM Security’s 2017 Cost of Data Breach study. These costs include unexpected loss of customer business, product discounts, forensic and investigative activities, and legal expenditures. And once GDPR comes into effect in May 2018, penalties related to data breaches will start at €10 million and can go up to as much as €20 million or 4% of their annual turnover, depending on which is higher.
“The traditional password is the stalwart of cybersecurity, but our research has shown just how complacent IT decision makers have become about this vital, powerful, yet understated security measure. Companies need to be more forward-thinking when it comes to identity and access management by enforcing strong passwords and using modern Multi-Factor Authentication.” said Alvaro Hoyos, chief information security officer at OneLogin.
Businesses should consider the following to reduce their risk exposure due to weak passwords:
- Choose applications that support SAML or OpenID Connect for user authentication. Applications are the front door to company data; when an app supports SAML (Security Assertion Markup Language) or OpenID Connect, it lets IT staff ensure all users have strong passwords.
- Use modern multi-factor authentication. It’s not enough to use any MFA technology to send one-time passwords (OTPs) since older MFA technologies like SMS are easily compromised. Modern MFA ensures that OTPs cannot be stolen or re-routed to a hacker-controlled account.
- Strengthen your phishing defences. Most cyberattacks start with phishing emails. Train your employees how to spot these emails, and regularly run phishing assessments to measure their ability to do so.