SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
'Risky behaviour' observed in IT security pros and individuals - survey
Thu, 20th Feb 2020
FYI, this story is more than a year old

Yubico has announced results of its State of Password and Authentication Security Behaviors Report, which found that IT security practitioners and individuals are both engaging in risky password and authentication practices.

The study, conducted by the Ponemon Institute, surveyed 2,507 IT and IT security practitioners across five countries, as well as 563 individual users. 

The tools and processes that organisations put in place are not widely adopted by employees or customers, the research reveals.

“IT professional or not, people do not want to be burdened with security — it has to be usable, simple, and work instantly,” says Yubico CEO and co-founder Stina Ehrensvard. 

“For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap. 

“With the availability of passwordless login and security keys, it's time for businesses to step up their security options. 

“Organisations can do far better than passwords; in fact, users are demanding it.” 

Key findings from the research
Individuals report better security practices in some instances compared to IT professionals

Of the 35% of individuals who report that they have been a victim of an account takeover, 76% changed how they managed their passwords or protected their accounts. 

However, of the 20% of IT security respondents who have been a victim of an account takeover, 65% changed how they managed their passwords or protected their accounts. 

Both individuals and IT security respondents have reused passwords on an average of 10 of their personal accounts, but individual users (39%) are less likely to reuse passwords across workplace accounts than IT professionals (50%).

Prevalence of phishing 

51% of IT security respondents say their organisations have experienced a phishing attack.

Another 12% of respondents stating that their organisations experienced credential theft, and 8% say it was a man-in-the-middle attack.

Yet, only 53% of IT security respondents say their organisations have changed how passwords or protected corporate accounts were managed.

Individuals reuse passwords across an average of 16 workplace accounts and IT security respondents say they reuse passwords across an average of 12 workplace accounts.

Increased workplace mobile usage

55% of IT security respondents report the use of personal mobile devices is permitted at work, and an average of 45% of employees in the organisations represented use their mobile device for work. 

Alarmingly, 62% of IT security respondents say their organisations don't take the necessary steps to protect information on mobile phones. 

51% of individuals use their personal mobile device to access work-related items, and of these, 56% don't use 2FA.

Intra-business account sharing

Roughly half of all respondents (49% of IT security and 51% of Individuals) share passwords with colleagues to access business accounts. 

59% of IT security respondents report their organisation relies on human memory to manage passwords, while 42% say sticky notes are used. 

Only 31% of IT security respondents say that their organisation uses a password manager.

Customer protection lacking

59% of IT security respondents say customer accounts have been subject to an account takeover. 

Despite this, 25% of IT security respondents say their organisations have no plans to adopt 2FA for customers. 

Of this 25 % of IT security respondents, 60% say their organisations believe usernames and passwords provide sufficient security and 47% say their organisations are not going to provide 2FA because it will affect convenience by adding an extra step during login.

In general, 49% of individuals say that they would like to improve the security of their accounts and have already added extra layers of protection beyond a username and password. 

However, 56% of individuals will only adopt new technologies that are easy to use and significantly improve account security. 

 A majority of IT security respondents and individuals (55%) would prefer a method of protecting accounts that doesn't involve passwords. 

Both IT security (65%) and individual users (53%) believe the use of biometrics would increase the security of their organisation or accounts. 

Lastly, 56% of individuals and 52% of IT security professionals believe a hardware token would offer better security.