Member Article

Password and authentication security lacking in the UK

A new research report from Yubico and The Ponemon Institute recently sought to better understand the differences in security practices and preferences between IT security practitioners and individuals. To do so, 2,507 IT and IT security practitioners were surveyed in Australia, France, Germany, Sweden, United Kingdom, and United States, as well as 563 individual users.

Cyber threats and attacks on individual users and organisations have not diminished. Phishing scams, stolen credentials, and account takeovers continue to rise, making it imperative for businesses to have policies and practices in place to reduce the risks created by poor password and authentication behaviours. What is perhaps more important is that the security policies and practices being deployed by businesses align with the preferences and behaviours of employees and customers. Without user adoption, businesses will remain vulnerable to cyber threats.

The conclusion from this year’s report is that UK IT security practitioners and individuals are both engaging in risky password and authentication practices. What’s more, the tools and processes that organisations put in place are not widely adopted by employees or customers, making it abundantly clear that new technologies are needed for enterprises and individuals to reach a safer future together.

Among its findings, the report suggests that UK individuals report better security practices in some instances compared to IT professionals. Out of the 35% of individuals who report that they have been victim of an account takeover, a whopping 76% changed how they managed their passwords or protected their accounts. Of the 22% of UK IT security respondents who have been a victim of an account takeover, 63% changed how they managed their passwords or protected their accounts. Both individuals and IT security respondents have reused passwords on an average of 10 of their personal accounts, but individual users (39%) are less likely to reuse passwords across workplace accounts than IT professionals (45%).

54 percent of British IT security respondents say their organisations have experienced a phishing attack, with another 9% of respondents stating that their organisations experienced credential theft, and 7% say it was a man-in-the-middle attack. Yet, only 56% of IT security respondents say their organisations have changed how passwords or protected corporate accounts were managed.

Perhaps alarmingly, 45% of IT security respondents say their organisations don’t take necessary steps to protect information on mobile phones. Fifty-one percent of individuals use their personal mobile device to access work related items, and of these, 56% don’t use 2FA. 67 percent of IT security respondents reported that their organisation relies on human memory to manage passwords, while 43% say sticky notes are used. Only 34% of IT security respondents say that their organisation uses a password manager, which are effective tools to securely create, manage, and store passwords.

Meanwhile, IT security respondents say they are most concerned about protecting customer information and personally identifiable information (PII). However, 62% of IT security respondents say customer accounts have been subject to an account takeover. Despite this, 23% of IT security respondents say their organisations have no plans to adopt 2FA for customers.

Most IT security respondents and individuals would prefer a method of protecting accounts that doesn’t involve passwords. Both IT security (60%) and individual users (53%) believe the use of biometrics would increase the security of their organisation or accounts. And lastly, 56% of individuals and 47% of IT security professionals believe a hardware token would offer better security.

“IT professional or not, people do not want to be burdened with security — it has to be usable, simple, and work instantly,” said Stina Ehrensvard, CEO and Co-Founder, Yubico. “For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap. With the availability of passwordless login and security keys, it’s time for businesses to step up their security options. Organisations can do far better than passwords; in fact, users are demanding it.”

This was posted in Bdaily's Members' News section by D Baker .