LastPass by LogMeIn has issued the results of its third annual Global Password Security Report: a study that offers insights into employee password behaviours as well as emerging trends around identity and access management at businesses worldwide.
Among the key findings from this year’s report is that, while more businesses are investing in security measures like multi-factor authentication, employees still have poor password habits that weaken companies’ overall security posture. Given that stolen and re-used credentials are linked to 80% of hacking-related breaches, businesses must take more action to improve password and access security if they’re to make a big impact on risk reduction.
“Securing employee access has never been more important but, unfortunately, we see businesses ignore password security altogether or otherwise only half-heartedly attempt to address it,” said Gerald Beuchelt, CISO at LogMeIn. “This report further highlights the importance of using the identity and access management tools available to information security managers in addition to maintaining focus on employee training to improve password habits.”
Password struggle is real
Password sharing and re-use remains a common practice in most businesses, with employees re-using one password an average of 13 times. LastPass by LogMeIn’s data shows that employees at businesses with fewer than 1,000 employees re-use 10-14 passwords compared to four re-used passwords among employees at larger organisations.
An overwhelming number of passwords leads to poor password hygiene when there’s no technology in place to help. The data shows employees at larger companies have an average of 25 passwords to manage compared to 85 passwords for those at smaller organisations.
Due to greater availability of resources and awareness of regulations, larger businesses may be more likely to have single sign-on (SSO) solutions in place that enable employees to access more apps with fewer passwords. However, less than 50% of all businesses have a SSO solution that could make it easier for employees to manage passwords.
Multi-factor authentication use on the rise
More than half of businesses globally (57% of those surveyed, in fact) now have employees using multi-factor authentication. That’s up 12 percentage points from last year’s report. As multi-factor authentication options continue to improve in usability and support for a wide range of use cases, so usage increase.
Unsurprisingly, employees at larger organisations have the highest usage – 87% – which drops nearly in half (to 44%) at organisations with approximately 500-1,000 employees and less than a third (27%) at the smallest businesses surveyed.
Given the competing priorities of IT staff at smaller businesses, it’s understandable that multi-factor authentication may not be a priority. However, given the number of affordable and user-friendly options available, every business should be able to find a multi-factor authentication solution that meets their needs.
Differences between industry sectors
In terms of industry, media/advertising agency employees have the most passwords to manage (97), whereas Government employees have the least (54). It’s no surprise that employees in that media and advertising sector also have the highest rate of password re-use – 22 – compared to just nine in the non-profit and retail sectors.
No amount of password re-use is safe, but some sectors have a lot more work to do. When it comes to multi-factor authentication, industries with the most sensitive customer data, like insurance and legal, are the least likely to have employees using it (20% usage for each compared to the high of 37% in the technology and software industries).
Password manager adoption via mobile
For the first time, this report looks at how employees use their password manager via the LastPass app on mobile devices. Globally, 23% of employees are accessing password vaults on their smart phone. That number is likely to grow as mobile platform integrations improve.
After the iOS 12 launch, for example, employees used LastPass on their mobile device 50% more frequently than prior to the launch.
Further, user retention is approximately 30% higher on average when mobile usage is incorporated into an employee’s on-boarding experience.
It’s clear that, when it’s convenient for employees to access and use password managers from their smart phone or other device of their choice, they’re more likely to do so.
Increased international regulation
As global threats rise, and concerns grow about the privacy of personal information, Governments and industries alike are enacting more regulations, directives and guidelines in order to help protect the digital economy.
The EU’s General Data Protection Regulation may contribute to signiﬁcant growth in the adoption of multi-factor authentication in countries like Denmark (46%), the Netherlands (41%), Switzerland (38%) and Germany (32%).
*For more information and to read the report in full visit https://www.lastpass.com/state-of-the-password/global-password-security-report-2019