sb-au logo
Story image

'Risky behaviour' observed in IT security pros and individuals - survey

Yubico has announced results of its State of Password and Authentication Security Behaviors Report, which found that IT security practitioners and individuals are both engaging in risky password and authentication practices.

The study, conducted by the Ponemon Institute, surveyed 2,507 IT and IT security practitioners across five countries, as well as 563 individual users. 

The tools and processes that organisations put in place are not widely adopted by employees or customers, the research reveals.

“IT professional or not, people do not want to be burdened with security — it has to be usable, simple, and work instantly,” says Yubico CEO and co-founder Stina Ehrensvard. 

“For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap. 

“With the availability of passwordless login and security keys, it’s time for businesses to step up their security options. 

“Organisations can do far better than passwords; in fact, users are demanding it.” 
 

Key findings from the research
 

Individuals report better security practices in some instances compared to IT professionals

Of the 35% of individuals who report that they have been a victim of an account takeover, 76% changed how they managed their passwords or protected their accounts. 

However, of the 20% of IT security respondents who have been a victim of an account takeover, 65% changed how they managed their passwords or protected their accounts. 

Both individuals and IT security respondents have reused passwords on an average of 10 of their personal accounts, but individual users (39%) are less likely to reuse passwords across workplace accounts than IT professionals (50%). 

Prevalence of phishing 

51% of IT security respondents say their organisations have experienced a phishing attack. 

Another 12% of respondents stating that their organisations experienced credential theft, and 8% say it was a man-in-the-middle attack. 

Yet, only 53% of IT security respondents say their organisations have changed how passwords or protected corporate accounts were managed. 

Individuals reuse passwords across an average of 16 workplace accounts and IT security respondents say they reuse passwords across an average of 12 workplace accounts. 

Increased workplace mobile usage

55% of IT security respondents report the use of personal mobile devices is permitted at work, and an average of 45% of employees in the organisations represented use their mobile device for work. 

Alarmingly, 62% of IT security respondents say their organisations don’t take the necessary steps to protect information on mobile phones. 

51% of individuals use their personal mobile device to access work-related items, and of these, 56% don’t use 2FA. 

Intra-business account sharing

Roughly half of all respondents (49% of IT security and 51% of Individuals) share passwords with colleagues to access business accounts. 

59% of IT security respondents report their organisation relies on human memory to manage passwords, while 42% say sticky notes are used. 

Only 31% of IT security respondents say that their organisation uses a password manager.

Customer protection lacking

59% of IT security respondents say customer accounts have been subject to an account takeover. 

Despite this, 25% of IT security respondents say their organisations have no plans to adopt 2FA for customers. 

Of this 25 % of IT security respondents, 60% say their organisations believe usernames and passwords provide sufficient security and 47% say their organisations are not going to provide 2FA because it will affect convenience by adding an extra step during login. 


In general, 49% of individuals say that they would like to improve the security of their accounts and have already added extra layers of protection beyond a username and password. 

However, 56% of individuals will only adopt new technologies that are easy to use and significantly improve account security. 

 A majority of IT security respondents and individuals (55%) would prefer a method of protecting accounts that doesn’t involve passwords. 

Both IT security (65%) and individual users (53%) believe the use of biometrics would increase the security of their organisation or accounts. 

Lastly, 56% of individuals and 52% of IT security professionals believe a hardware token would offer better security. 

Story image
NetMotion announces SASE platform leveraging Microsoft Azure
The platform offers integrated transport and web proxies, distributed firewalls, network access control (NAC), zero trust network access (ZTNA) or software-defined perimeters (SDP), a VPN highly optimised for mobile access, and AI-driven policy and risk analysis.More
Story image
Video: 10 Minute IT Jams - Vectra AI exec discusses cybersecurity for Office 365
In Techday's second IT Jam with Vectra AI, we speak again with its head of security engineering Chris Fisher, who discusses the organisational impact of security breaches within Microsoft O365, why these attacks are on the rise, and what steps organisations should take to protect employees from attacks.More
Story image
Vectra sets A/NZ channel in sights with new leadership hire
The new international sales VP will be charged with strengthening its MSP programme and growing its channel partner network in the region.More
Link image
The definitive checklist to distinguish a broken authentication system
An improper or insecure implementation of authentication is a critical web application security risk. This checklist will discern the good from the bad.More
Story image
Forrester names Thycotic a Leader in privileged access management
Thycotic received the highest possible score in 11 of the 24 criteria in the study, including SaaS/cloud, innovation roadmap, and integrations, deployment, supporting products and services, commercial model, and PIM installed base.More
Story image
Is the 'fast follower' mentality holding back anti-money laundering in Australia?
The decade-old rules-based systems cannot keep up with sophisticated cyberattacks and money laundering threats on their own, writes FICO financial crimes leader for APAC Timothy Choon.More