E R T N
P
X
E INIO
OP
Strengthening
password
security in the
workplace
Despite weak, stolen or reused passwords being the main
cause of breaches, IT executives still lack control over
password security in their organisations. With GDPR in
force and high-profile breaches now consistently making
headline news, how can organisations implement a change
in culture to strengthen security? Rachael Stockton,
Director of Identity and Access Technologies at LogMeIn,
makers of LastPass, tells us more. . . .
H
How much of a factor is poor
password practice when it comes
to data breaches?
According to the Verizon Data Breach
Investigation Report, 81% of breaches
are caused by stolen, re-used or
compromised passwords. That is a huge
amount. And stealing these passwords
can be done in a variety of ways –
phishing, guessing etc. When a breach
happens, a bunch of passwords are
stolen. With 59% of people reusing those
stolen passwords and because computing
power is so cheap right now, hackers can
literally just run through all the data and
passwords they stole from one site and
try them against multiple, more valuable
sites (think your banking site). And they’re
bound to get hits that way.
There’s a huge risk with any data breach,
whether it’s a consumer organisation,
www.intelligentciso.com
|
Issue 09
Rachael Stockton, Director
of Identity and Access
Technologies at LogMeIn
such as a retail store or a bank, those
passwords could be valid in a work
setting. And so, passwords are really that
first step in protecting yourself.
Research shows that people
know there are risks with using
the same password and yet,
they still do it – why do you
think that is?
In a survey we conducted earlier this
year, 15% of people said that they would
rather do household chores than change
their passwords. I think there are a few
elements to this attitude. There’s the
‘it’s not going to happen to me – I’m
not important enough’ way of thinking.
Millennials, in particular, tend to think
‘what are they going to steal from me?’.
And then I think the other element
is that, even when people find out
that something like an app has been
breached, only 50% of people take the
action to change their password.
So, I think the reason is that ‘this isn’t
going to happen to me’ justification,
and at the same time, there’s also a ‘it’s
going to happen, they probably have
my stuff already’ attitude. And I think
that’s sad – there’s a resignation there.
I think in a way that goes back to the
question – ‘is there an acceptance that
passwords are going to be stolen, that
breaches are going to happen?’
And if so, is that really ok? I don’t think it
is. We have to make it easier for people
to manage their passwords rather than
using the same one and just changing
that last number.
Because we know people are using the
same simple passwords all over; they’re
41