Latest News

Survey finds IT security professionals still engage in risky password and authentication behaviours

Cyber threats and attacks on individual users and organisations like phishing scams, stolen credentials, and account takeovers continue to rise, making it imperative for businesses to have policies and practices in place to reduce the risks created by poor password and authentication behaviours.  However, do tech professionals follow their own recommendations?  A new research report from Yubico and The Ponemon Institute recently sought to better understand the differences in security practices and preferences between IT security practitioners and other individuals – and it seems tech professionals are often as lax as ordinary users.

The study surveyed 2,507 IT and IT security practitioners in Australia, France, Germany, Sweden, United Kingdom, and United States, as well as 563 individual users.

Surprisingly, IT security professionals – who we’d expect to take the utmost precaution when it comes to security – did not exercise more care than the individual users represented in this study. In fact, both groups are engaging in risky practices, including reusing and sharing passwords in the workplace and accessing workplace apps from their personal mobile devices without using two-factor authentication (2FA). Looking at the UK specifically, the tools and processes that British organisations put in place are not widely adopted by employees or customers, making it abundantly clear that new technologies are needed for enterprises and individuals to reach a safer future together.

Among its findings, the research found that UK individuals report better security practices in some instances compared to IT professionals. Out of the 35 percent of individuals who report that they have been victim of an account takeover, a whopping 76 percent changed how they managed their passwords or protected their accounts. Of the 22 percent of UK IT security respondents who have been a victim of an account takeover, two thirds changed how they managed their passwords or protected their accounts. Both individuals and IT security respondents have reused passwords on an average of 10 of their personal accounts, but individual users (39 percent) are less likely to reuse passwords across workplace accounts than IT professionals (45 percent).

In an illustration of the rise in cybercrime affecting individuals and organisations worldwide, 54 percent of UK IT security respondents say their organisations have experienced a phishing attack, with another 9 percent of respondents stating that their organisation experienced credential theft, and 7 percent say it was a man-in-the-middle attack. In spite of this, only 56 percent of IT security respondents say their organisations have changed how passwords or protected corporate accounts were managed – pointing to a serious discrepancy in protection.

67 percent of UK IT security respondents reported that their organisation relies on human memory to manage passwords, while 43 percent say sticky notes are used. Only 34 percent say that their organisation uses a password manager, which are effective tools to securely create, manage, and store passwords. In fact, most IT security respondents and individuals would prefer a method of protecting accounts that doesn’t involve passwords. Both IT security (60 percent) and individual users (53 percent) believe the use of biometrics would increase the security of their organisation or accounts. And lastly, 56 percent of individuals and just under half of IT security professionals believe a hardware token would offer better security.

“IT professional or not, people do not want to be burdened with security — it has to be usable, simple, and work instantly,” said Stina Ehrensvard, CEO and Co-Founder, Yubico, a provider of hardware authentication security keys.

“For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap. With the availability of passwordless login and security keys, it’s time for businesses to step up their security options. Organisations can do far better than passwords; in fact, users are demanding it.”