Australian companies are being put at risk by poor password hygiene according to a new survey, which shows very few companies automatically change passwords - and sticky notes are still a favoured option for remembering passwords.
The LogRyhythm survey of more than 1000 employees from Australian companies with 20+ staff, highlights the need for more password education, and improved password control, opening the door for resellers to engage further with their customers on the topic.
While 96% of respondents required a password to use their work computer, only in 3% of cases were passwords automatically changed and generated by company security.
The survey also found one in five employees was able to gain entry to all work services and documents via a single password, and that the average number of passwords for employees was 3.2, with 37% of workers using five or more.
While 72% of respondents take ‘reasonable care’ saying they have changed their password within the last six months, and 59% say they change their passwords at least once a year, 6% say they have never changed their access codes, opening the door for cybercriminals to find and exploit vulnerabilities.
Where different access codes were required by an employer, only 18% of workers set a unique password for each service, with 19% using the same one for everything. Twenty-one percent created variations on a core word.
Alarmingly, 22% kept their passwords in an unsecure place, be it a file saved on their computer (8%) or in their desk drawer (6%), a note on a smartphone (5%) or a sticky note on their desk (4%).
LogRhythm says extrapolating that out across Australian enterprises, 173,000 workers are leaving their passwords on sticky notes on their desk.
Simon Howe, LogRhythm’s ANZ sales director, says the results show clearly that employees may be unwittingly placing their organisations at greater risk of data breaches and other incidents.
“User accounts and passwords are being harvested on the black market to fuel cyber attacks,” Howe notes.
“Businesses need to more actively monitor employee access to devices, applications and systems. And to set policies that encourage them to keep security front of mind.”
Among the suggestions LogRhythm makes for improving password security are companies sending regular reminders to employees to change passwords and keep them safe, with the recommendation that the longer the password – a combination of four or more different words – the better.
The security intelligence company also suggests using a secure password manager app to store passwords and to help create and store complex and dynamic passwords for multiple services, and using multifactor authentication whenever possible to protect critical infrastructure such as VPN and email access.
Avoiding shared accounts and instead creating separate accounts for each user of an application so any actions are properly attributed to a specific employee, is also recommended and helps limit the risk of inadvertent password exposure.