Less than half of IT pros follow safe password management

Here’s a frightening statistic: 53% of your peers reporting that they either haven’t changed their social network passwords in over a year or can’t recall ever doing so at all. These numbers come out of the RSA Conference, where security firm Thycotic surveyed nearly 300 IT pros on their password habits.

Better cybersecurity might be a moot point if those touting the habits aren’t practicing what they preach. Of those surveyed, 33% said they haven’t changed their passwords in more than a year with the other 20% reporting they’ve never changed their passwords.

A closer look at the data sheds some light on the problems facing all of us when it comes to practicing safer password habits:

  • 30% generate passwords using birthdates, addresses, and names of their children and pets
  • 25% only change their password when the system prompts them to, and
  • 45% believe that at least half of all company-related cyberattacks involve privileged passwords.

While fewer than half of those surveyed believe that privileged account passwords are involved in breaches, that perception is a bit off. According to Thycotic’s research, the reality is that the compromise of privileged passwords are responsible for 63% of all breaches. And of that 63%, Thycotic estimated that 30% involve IT administrators’ passwords and 10% involve the password of someone with high security clearance.

Ten-percent may not seem too bad, you have to consider that accounts with the highest security clearance can do the most damage when compromised. Thycotic estimated that financial losses due to breaches stemming from these accounts hit victim companies hardest.

Trail of breadcrumbs right to company’s backdoors

The fact that these are social network accounts shouldn’t be dismissed either. Often, these accounts can be leveraged to get access to private and personal information that could be used against the company. The other problem is that hackers can move along social networks to email accounts that are linked to those networks. And do you know how many users of your C-Suite use personal email to conduct workplace-related business? Those personal email accounts tend to have more lax security protocols than work-supplied ones, and they can lead hackers right through a company’s security measures.

Not to mention, corporate social media accounts are a prime target for hackers, and when they’re hacked the resulting PR fallout can be difficult to contain.

Not to mention, if one account is compromised, it may be indicative of a much larger cybersecurity problem. Thycotic said less than 20% of IT pros were using password management vaults or tools and that they rely on those system alerts to remind themselves and users to update their passwords.

Part of the problem: Social media networks don’t prompt their users to change their passwords frequently, if at all, and typically they only require it after a major breach. And, by then, it’s usually too late for high-profile targets whose personal data has been compromised.

If anything, Thycotic’s survey told us that we’re all human and that most of us don’t like cycling through passwords. So what can be done to combat the human condition and improve your business’ cybersecurity?

Apply some pressure to users’ pain points. They don’t want hackers knowing their W2 and financial information, sure, but what about where they grew up? Or where their kids go to school? Or where they’ll be spending the weekend, or any plethora of private personal chats they’ve had with family and colleagues? Get them to practice the same safe password management techniques you’re applying at your workplace.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy