SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Password habits still key obstacle to business’ security - LogMeIn
Thu, 10th Oct 2019
FYI, this story is more than a year old

LastPass by LogMeIn has released the results of its third annual global password security report, a study that offers insights into employee password behaviours and emerging trends around identity and access management.

The report, of more than 47,000 organisations using LastPass, found that while more businesses are investing in security measures like multi-factor authentication (MFA), employees still have poor password habits that impact their companies' overall security posture.

Number of passwords growing exponentially

Over the years there's been an alarming increase in the number of passwords the average person must remember.

The report found that employees in small businesses (1-25 employees) have an average of 85 passwords, while larger companies (1,001-10,000 employees) have an average 25 passwords.

The average Australian employee has 66 passwords.

Very few of these passwords are completely unique, and globally, Australia ranked equal second highest for the average number of passwords reused per person (14).

Due to greater availability of resources and awareness of regulations, larger businesses may be more likely to have Single Sign-On (SSO) solutions in place that enable employees to access more apps with fewer passwords.

However, less than 50% of all businesses have an SSO solution that could make it easier for employees to manage passwords.

The study found that more businesses are actively investing in security measures like multifactor authentication (MFA).

Globally MFA use grew from 12% to 57% in 2019.

Australian adoption of the technology has also increased significantly among LastPass users, from 6% to 29% in the past 12 months.

Given that compromised or stolen credentials underpinned most cyber incidents that led to data breaches in the first year of the Notifiable Data Breaches (NDB) scheme; the shift towards MFA shows that measures to reduce the risk of stolen credentials are being implemented.

LogMeIn APAC vice president Lindsay Brown says, “Australian businesses are starting to take greater control of their password security – a likely result of regulatory changes across the industry.

“Unfortunately, MFA use alone cannot protect an organisation and overall security hygiene must be elevated if we're to see better results in the next Notifiable Data Breach Report.

Additional key findings from the Global Password Security Report show:

MFA usage is on the rise, but small to medium-sized business lags

As MFA options continue to improve in usability and support for a wide range of use cases, usage continues to increase.

Unsurprisingly, employees at larger organisations have the highest usage – 87% – which drops nearly in half (to 44%) at organisations with approximately 500-1,000 employees, and less than a third (27%) at the smallest businesses.

Given the competing priorities of IT staff at smaller businesses, it's understandable that MFA may not be a priority.

However, given the number of affordable, user-friendly options available, every business should be able to find an MFA solution that meets their needs.

Industry differences: Media/advertising are inundated with passwords. Health needs greater MFA uptake.

In terms of industry, media/advertising agency employees have the most passwords to manage (97), whereas government employees have the least (54).

It's no surprise that employees in that media and advertising sector also have the highest rate of password reuse – 22 – compared to just nine in the non-profit and retail sectors.

No amount of password reuse is safe, but some sectors have a lot more work to do.

When it comes to MFA, industries with the most sensitive customer data, like insurance and legal, are the least likely to have employees using MFA (20% usage for each compared to the high of 37% in the technology and software industries).

Given the Australian health sector recorded the highest volume of data breaches as published in the NDB 12-Month Insights Report, it's not wholly surprising that LastPass' research shows that the sector currently has the second-lowest MFA score compared to other industries.

Investing in MFA should be a key security focus for organisations here.

Password manager adoption via mobile increases

For the first time, this report looks at how employees use their password manager via the LastPass app on mobile devices.

Globally, 23% of employees are accessing password vaults on their smartphone, and that number is likely to grow as mobile platform integrations improve.

After the iOS 12 launch, for example, employees used LastPass on their mobile device 50% more frequently than prior to the launch.

Further, user retention is approximately 30% higher on average when mobile usage is incorporated into an employee's onboarding experience.

It's clear that when it's convenient for employees to access and use password managers from their smartphone or other devices of their choice, they're more likely to use it.

Increased international regulation spurs action in EMEA and APAC

As global threats rise, and concerns grow about the privacy of personal information, governments and industries are enacting more regulations, directives and guidelines in order to help protect the digital economy.

Apart from the NBD scheme aligning with Australia's MFA usage growth to 29% in a 12-month period, the GDPR may have also contributed to significant growth in adoption of MFA in countries like Denmark (46%), the Netherlands (41%), Switzerland (38%) and Germany (32%).

“Securing employee access has never been more important and unfortunately, we see businesses ignore password security altogether, or only half-heartedly attempt to address it,” says LogMeIn chief information security officer Gerald Beuchelt.

“This report further highlights the importance of using the identity and access management tools available to information security managers in addition to maintaining focus on employee training to improve password habits.