Giving CISOs the tools to measure and improve password security
Despite the well-publicized growth in cyber-attacks every year, both in number and complexity, organizations are still struggling to implement effective security policies. It’s no secret that weak passwords are a leading security threat and bad password habits are far too common.
Yet organizations are struggling to quantify their own level of password risk, even those that use password managers. Why? They lack proof of their policies’ effectiveness. They’re missing visibility into their employees’ behaviors. And they can’t verify how they compare to others of similar size, industry or location, including competitors.
That is why we undertook an effort to analyze the password habits of employees at 43,000 organizations of all sizes and across industries that use the LastPass password manager. Not only does the report reveal real password behaviors in the workplace, but it offers the first true benchmark that CISOs and other IT professionals can use to see how they rank compared to other similar businesses and how to improve their password security.
Weak, reused, old and potentially compromised credentials open organizations up to innumerable risks that could be easily avoided. Our data shows that most organizations are performing middle of the road (an average of 52 out of 100) for password security, demonstrating the need for more effective policies and training to improve overall security.
Password risk affects companies regardless of size, industry and location – but it’s something all organizations can work on for a more secure workplace.
The larger the company, the larger the risk
In a survey of 43,000 organizations, we found that the larger the company, the lower its security score on average.
Organizations with 25 employees or fewer that use LastPass demonstrated the highest average security score, but that score drops as the company size increases – up to a point. Organizations with more than 500 employees displayed stagnant scores, sharing similar challenges in improving password hygiene regardless of whether they had 1,000 employees or 10,000. These larger organizations make it more challenging for IT to hold all employees to password security standards, increasing opportunities for dangerous password behaviors.
Still, that doesn’t mean larger organizations are beyond help – some of the top performers overall were large businesses, showing that size is merely a factor that IT professionals should account for when implementing security policies. The larger the organization, the more difficult it is to address certain challenges, from budgets to bureaucratic red tape. Smaller companies still face similar challenges, just on a smaller scale.
Despite having fewer resources, it’s simpler to ensure near-perfect passwords and multifactor authentication for all employees when the employee base is smaller. Further, it’s important to note that any small company that buys password management software is probably sophisticated and tech savvy when it comes to security.
Password sharing provides the perfect example for a challenge that increases in scale with larger companies. On average, any given employee shares about six passwords with coworkers. Imagine the impact at a company with 100 employees.
Now imagine the same for a company with more than 10,000 employees. Password sharing is frustrating for employees and IT administrators alike, with users resorting to using weak-but-memorable passwords that present potential backdoors into the business. As teams become more distributed and technology-dependent, the ability to protect, track and audit shared passwords is more complicated – and more necessary – than ever.
Security challenges span across industries and the globe
Technology and not-for-profit organizations that use LastPass as a password manager achieved the highest security scores, with retail and insurance trailing behind. Given the relative tech-savviness of such organizations, along with their privacy and data law compliance requirements, it’s no surprise that tech companies and nonprofits lead the way.
Even so, other heavily-regulated industries such as banking, health, insurance and government – all frequently targeted by cybersecurity attackers – demonstrated lower security scores, revealing an opportunity for these industries to commit to more effective password security.
With a reputation for security and the adoption of standards like the General Data Protection Regulation (GDPR), companies in Germany ranked higher than the global average in terms of security score, closely followed by the Netherlands. The United States falls behind, so even though the country has a number of strong top performers, we have a lot of work to do overall.
Where the U.S. shines, however, is in the adoption of multifactor authentication. Out of all the companies that enable multifactor authentication, about 65 percent are U.S. based. In comparison, Germany accounts for less than three percent of companies with multifactor authentication enabled. That said, despite the growing usage of multifactor authentication overall, many countries are still slow to adopt this security trend.
Improving overall security is a work in progress, but no matter the size, industry or location, all organizations can take steps toward more efficient password management – and we’re already seeing a positive selection of companies doing something for passwords. We found that one year after implementing a password manager, most companies increased their security score by an average of nearly 15 points.
For organizations looking into implementing a password manager or trying to measure their own password security for board reporting, this report should serve as a helpful benchmark, offering realistic goals and best practices.
As more and more companies implement BYOD policies, opening up networks to unsanctioned devices and apps, CISOs and other IT leaders need to change the way they think about password security.