Protecting access to passwords is often not prioritized at many companies, and the lackadaisical attitude by employees who use easily guessable passwords often makes it simple for hackers to gain access to a network.
Employees often breach their company's policy, and 46% admit to using their own personal passwords for company data, according to a survey conducted by Dashlane, a New York-based enterprise password solution company, who queried 500 information technology administrators and enterprise employees. These personal passwords often turn out to be weak ones and only meet the bare minimum password requirements. Whenever employees opt to reuse their own passwords, the odds of compromising several personal and work accounts during a data breach are enormous.
"Most data breaches are because of poor password habits — using the same, weak passwords like 'admin,' as shown in the Equifax breach," said Emmanuel Schalit, CEO of Dashlane CEO. "Strong, unique passwords are absolutely necessary to prevent cyberattacks and using a password manager is the only way for every employee to protect company and customer data."
The greatest threat to companies are frequently employees because of weak strategies or ones which are not implemented by managers, allowing the widespread problem of crossing the lines between personal and professional identities to grow exponentially.
One in five employees said they are not aware whether their company has instituted a password policy while nearly one in three don't know if they adhere to it, the survey found.
The underlying problem can not be attributed solely to employees because 70% of IT admins said they did not factor an employee's password falling into the hands of a hacker among their top five concerns. The survey also found that three-fourths of IT admins said their employees have password fatigue which is created when they have to memorize numerous passwords, but 45% are not concerned about the weak passwords practices at their company.
Strengthening password security at organizations and lowering the amount of unsecured password sharing is critical because the use of the cloud and other online services is increasing daily.
While password reuse becomes inevitable, many companies have not created an easier method of banning the reuse of them between work and personal services, said Isabelle Dumont, vice president at Lacework, a Mountain View, Calif.-based provider of cloud security solutions.
"The password challenge is easy to describe but not easy to enforce," she said. "Organizations redirect some of their efforts towards monitoring the services and applications they run on-premises or in the cloud."
Cybercriminals who have stolen a password and accessed applications to steal data will "betray its presence by showing abnormal behavior on the stolen account," Dumont said. "This can be detected effectively and quickly with modern security tools that focus on behavior."
Password reuse and "poor password hygiene" are some of the biggest issues contributing to many of today's data breaches and cyber attacks, said Joseph Carson, chief security scientist at Thycotic, a Washington D.C.-based provider of privileged account management (PAM) solutions.
"The issue with passwords is that when an employee needs to remember five or more passwords, instinct sets in along with cyber fatigue," he said. "This results in employees starting to use the same password for everything from a bank account to social media and even the company's active directory which is used for logging into the company email and systems."
Employees have an average of more than 30 passwords to remember, so the trend of reusing passwords will not decrease soon. Cyber fatigue is growing at an alarming rate and hackers are capitalizing on this phenomenon.
"When a cyber breach happens, which includes a password being stolen, it is quite common that cybercriminals will find that the same password will work to then break into the employee's workplace," Carson said. "This provides them with access to more sensitive information, which typically leads to large data breaches."
Solutions to Password Fatigue
The universe of passwords will grow to 300 billion by 2020, according to a recent research study conducted by Thycotic and Cybersecurity Ventures. Businesses and other organizations face greater threats since in 2016 over 3 billion user credentials or passwords were stolen, which amounts to 95 credentials and passwords stolen every second, he said.
"The issue of password reuse is going to become critical and organizations must consider adding additional security controls to passwords using multi-factor authentication," Carson said. "Managing cyber fatigue must also be achieved by helping employees gain control of the mess by using a password vault or privileged account management solution."
Instead of attempting to combat the issue of reusing passwords, companies should implement additional security measures, such as two factor authentication, which will mitigate the risk, said Ryan Jones, managing principal at Coalfire, a Westminster, Colo.-based provider of cybersecurity advisory services.
"Regardless of whether it's at work or in personal life, password reuse has been a problem since passwords were created," he said.
Employees are "terrible" at selecting strong and easy-to-remember passwords, said Joram Borenstein, a vice president of marketing of NICE Actimize, a Hoboken, N.J.-based financial crimes software solutions provider.
Companies can easily fix the growing problem by enforcing Draconian password policies with unrealistic rules about length, variety of characters and time span of use, he said. They could also elect to replace passwords altogether by implementing the use of biometrics or one-time passwords or another authentication protocol.
"They may choose to prioritize their security risk mitigation efforts by focusing on the most critical personnel such as people with administrative credentials, C-suite or other leaders with the most sensitive access, he said.
Security controls are often viewed as hindrances which slow down or impede the normal work-flow in an office and employees are not given the right tools to make the process smoother, said Ryan Manship, vice president of RedTeam Security, a St. Paul, Minn.-based ethical hacking firm.
"If a company implements 'access controls' on its employees to limit how much data they can access, that can bottleneck employees and slow down projects," he said. "The same is true with email whitelisting, script-blocking browser plug-ins and work-from-home remote access limitations."
Password managers are widely available, cheap and easy to use which means companies can no longer blame the lack of convenience, Manship said.
"There is no reason why every company today can't do a better job of protecting its employees logins," he said. "Two-factor authentication is also readily available. These are simple solutions and easy to implement and they don't have any net negative impact on an employee's efficiency."
Companies can no longer take a passive approach and "have to wake up to this threat," Manship said.
Since there have been too many large-scale password breaches over the years, the odds that most companies have employees who are logging into corporate accounts with compromised passwords is immense.
"If your business isn't mandating the use of password managers, two-factor authentication and other online account protections, it is guilty of gross negligence and it will fall victim to a breach - it's just a question of when," Manship added.
When the employee is compromised in a phishing attack, the hackers already know that the password is being used to secure multiple accounts, making it easy for them to "just go on a huge shopping spree and target all of that person's discoverable accounts," said Jason Glassberg, co-founder of Casaba Security, a Redmond, Wash.-based white hat hacking firm.Nowadays managers have multiple utilities and tools available to enforce a rigorous password policy, which means that they "have to go out of their way to avoid having one," he said.
The majority of cyber attacks begin with a phishing email because the hacker is targeting user passwords. When passwords are reused across multiple accounts, "it's game over," Glassberg said.
The compromise of data is easily achieved because the domino effect has been created due to a handful of employees who have failed to follow simple password security protocols.
"Password reuse allows bad guys to potentially gain access to seemingly unrelated accounts such as email and social media, furthering the ability to phish and gain more information and more passwords," he said. "Organizations also still fail to appreciate the dangers of insider attacks as well, wrongfully assuming that all bad actors come from outside the company."
Companies need to consider using email whitelisting to reduce the amount of phishing attempts that will be made against their employees.
Blaming employees does not target the root of the problem, which is that developers are not creating software which is secure, said Altaz Valani, director of research at Security Compass, a Toronto-based security company.
"There is no reason why any system or application should allow employees to use common dictionary words in their passwords, reuse passwords or log-in to any account without two or multi-factor authentication," he said. "We need these programs to have better security built into them from the start, in order to lock users into a safer set of behaviors."
Employers do share some of the blame because they do not "go far enough" in the development of in-house security policies or training their employees.
"One simple step every company can take is to require its employees to use password managers for their online accounts," Valani said. "This will eliminate much of the risk of password reuse, although it's important to remember that the master password must continue to be protected - that means writing a strong and unique password which is changed regularly."
More of What's Trending on TheStreet: