It’s a growing cybersecurity problem that consumers and business simply can’t seem to clean up. It’s password hygiene and it’s a big challenge according to new research from PC Matic.
“While this may seem like a minor detail, password hygiene is becoming a growing threat in the cybersphere and is leading to many of the breaches we’re seeing today,” says PC Matic CEO and founder, Rob Cheng.
The research provides surprising insights into the frequency passwords are changed, how often the same credentials are used in different settings, and how passwords are stored. And there are implications for businesses and payments providers too.
Many of us have seen malicious emails that include attachments riddled with various forms of malware, including ransomware, or links that prompt victims to divulge personal or banking information. Cybercriminals are getting very good at phishing.
69% of the 5,000 US residents surveyed said they have seen phishing emails. But, a surprising 16% were unaware or not familiar with these annoying and dangerous practices. The most alarming fact is that one in four of these 16% work in information technology and security!
Impact of cybercrime on business
According to the Ninth Annual Cost of Cybercrime Study released by Accenture and the Ponemon Institute, the average cost of cybercrime for an organization has increased $1.4 million over the past year, to $13.0 million, and the average number of security breaches in the last year rose by 11% from 130 to 145.
The Internet Society estimates the annual cost of cybercrime at more than $45 billion globally. It also says there were more than 2 million cyber incidents in 2018, which may also be seriously underreported.
Two-factor authentication a factor
PC Matic found that 14% of people were not aware or familiar with two-factor authentication is a way to secure their personal or private information. Of even more concern, 20% of individuals are aware of two-factor authentication, but consciously choose not to use it or opt out of it.
What’s a poor cybersecurity manager supposed to do with that?
Of those using two-factor authentication, 15% used it at work, 23% at home, and 26% at both home and work. There’s lots of room for improvement here.
When it comes to virtual private networks (VPNs), 10% of security employees reported no knowledge of what a VPN is or how it works, while 20% of respondents overall were not aware of VPNs. 45% said their employers did not require the use of this additional security measure.
Passwords problems proliferate
Not surprisingly, 50% of those surveyed said they do not change their password ever unless forced to do so. The problem becomes even more serious after a data breach or other security compromise or when businesses do not mandate or require a frequent password change.
55% said they remember their password in their head, which means users are likely using the same password for multiple accounts. The practice gets harder as some businesses require frequent password changes or higher levels of password complexity.
Other ways of remembering passwords included writing them down (26%) and only 19% who used a password manager. 45% of those over 60 write down and store their password in a convenient place (Hey, mom and dad!). Probably a reason for the always-popular sticky notes!
Bad news for business
If employees use common passwords at home and work, the risk of a business security compromise is higher, especially as only 50% will change their password only if forced to do so.
Over 55% of businesses required employees to change passwords less than twice a year and 20% of government employees said they had never changed their password.
Another rising concern for business is that nearly half of employees access their personal email from work, exposing businesses to further cybersecurity risks from malware and ransomware.
Cleaning up business passwords
PC Matic offered several practical tips for better business password hygiene including:
- employee password updates every six weeks
- enable two-factor authentication
- require predetermined password strength
- utilize a password vault
- require employees to connect through a VPN when doing work-related tasks
- use filters to protect online activity
- regularly conduct employee cybersecurity training.
With today’s much-improved tools and technology, there’s no excuse for consumers and businesses not to clean up their dirty password problems.
You can read more of PC Matic’s 2019 Password Hygiene and Habits Report insights here.
Visuals courtesy of PC Matic