- Security TWENTY Home
- Women in Security Awards
Most, 85 per cent, of IT decision makers feel they have adequate password protection measures in place. But in reality, most IT decision makers are failing to enforce even the most basic password requirements, putting their businesses at significant risk of data breach, according to a new study by OneLogin, an identity management product company. In fact, less than a third (31 per cent) require employees to rotate passwords monthly, and a further half (52 per cent) admitted to only requesting password rotation once every three months.
The study, which surveyed more than 600 UK-based IT decision-makers with influence over their business’s IT security, suggested that although many businesses require passwords to be a minimum length, a mix of upper and lower case, and to use numbers, the majority are failing to enforce any further password complexity requirements on employees. Only 37 per cent of those surveyed ask employees to check their passwords against common password lists and 39 per cent don’t even require employees to use special characters.
As for authenticating users for internal and external corporate applications, less than a third (30 per cent) implement multi-factor authentication (MFA) as a mandatory authentication requirement for internal applications, and 26 per cent for external applications. Hence organisations are simply relying too heavily on weak password requirements, the IT product firm says, leaving organisations and valuable corporate data easily accessible to cybercriminals looking for the easiest way into the corporate network.
IT security shortcomings can lead to significant costs, since the average cost for a UK company to remediate a data breach is £2.5m, according to IBM Security’s 2017 Cost of Data Breach study. These costs include unexpected loss of customer business, product discounts, forensic and investigative activities, and legal expenditures. And once GDPR (EU-wide general data protection regulation) comes into effect in May 2018, penalties related to data breaches will start at ten million euros and can go up to as much as 20m euros or 4pc of annual turnover, depending on which is higher.
Alvaro Hoyos, chief information security officer at OneLogin said: “The traditional password is the stalwart of cybersecurity, but our research has shown just how complacent IT decision makers have become about this vital, powerful, yet understated security measure. Companies need to be more forward-thinking when it comes to identity and access management by enforcing strong passwords and using modern Multi-Factor Authentication.”