Presented by Dashlane
Yahoo, MySpace, Tumblr, and LinkedIn made headlines in the last 12 months for their enormous data breaches. Hackers released the data for 1.5 billion Yahoo accounts, 167 million LinkedIn users, 360 million user records on Myspace, and over 65 million Tumblr accounts.
Even more striking is the number of weak passwords revealed during such data breaches. For instance, Facebook founder Mark Zuckerberg fell victim to a cyber hack when a group called OurMine Team discovered his credentials in the leaked data. It was later revealed that his password “dadada,” was used to protect his Twitter and Pinterest accounts.
The recent mega breaches are not only unsettling in their magnitude, but they also illustrate the consequences poor password practices can have for both your employees and business.
It’s not ‘what’ makes bad passwords, but ‘who’
Passwords aren’t necessarily the root of the problem; the security risk originates when you ask employees to create and manage their passwords without providing them with the tools to do so.
Your employees are juggling a growing number of logins, policies, and devices, and are left with almost no choice but to settle for poor password habits and security shortcuts that put your company at risk.
Employees are suffering from password overload
Dashlane’s password overload study discovered that the average number of accounts registered to one email address is 130 in the United States, 118 in the United Kingdom, 95 in France, and 92 for the rest of the world. And that number is doubling every 5 years.
With over 100 personal and work accounts, it is impossible to create and remember a unique, strong password for all of them. As a result, employees create passwords that are simple to use, easy to remember, and often meet the bare minimum password security requirements — and they most likely do not bother segregating the passwords they use for their personal and work accounts, even if the company has created policies that explicitly forbid this.
The struggle to create (and remember) strong passwords
Employees create passwords that are easy to remember, often using easily predictable information such as names, places, sports teams, important dates, or even the name of the site or system where the account is registered — which explains why “linkedin” is the second most popular password found in the hacked LinkedIn data.
Requiring complex passwords results in the reuse of passwords for multiple accounts. If a hacker manages to steal an employee’s credentials for instance on one of their personal accounts, chances are that they will also attempt to use those credentials to access company accounts, and/or try to access information belonging to your valued customers.
Unsecure sharing is not caring
One study found that 1 in 3 employees share their credentials with other employees for various reasons: because their manager, boss, or colleague asked for them, to give access to team members while they’re out of the office, etc. And that sharing is done using unsecure channels, ranging from a post-it note to sending an email or chat message.
More often than not, employees don’t share passwords with any malicious intent, but 52 percent of employees in a survey admitted that they did not understand the risks they could be implicating by sharing work-related login information using unsecure mechanisms.
Employees and IT administrators are responsible for good password security
Hackers are really targeting the weakest link in your security infrastructure — your employees. The best way to strengthen the security of your entire business is to make sure both your employees and IT admins are aware of their responsibility to maintain good password security, and that they have the tools to fulfill that responsibility.
Tips for employees:
Education is key: Educate employees on how to identify a potential security breaches, how to generate strong passwords they can use and remember, and how to manage them safely.
Be transparent about security: Be proactive and transparent about your company’s security policies and infrastructure. Consider sending a company-wide incident report to raise employee awareness, and/or having regular training sessions or town hall meetings where you educate employees about your current security policies.
Offer them a Password Manager: To help your employees store, manage, and secure the password to their accounts, provide them with a password manager. Password managers help combat insecure password sharing, password overload, and manually generating weak passwords. Make it clear to your employee that this is also a benefit for them as they can use it to manage their personal credentials.
Tips for IT administrators:
Rethink your security policies: Be cognizant of unrealistic restrictions that not only put your systems at risk, but also promote cynicism about security. When you create your security policies, ask yourself: Is this policy difficult to understand/adhere to for employees? Do employees know why this policy is in place? Can they recognize a potential security threat or breach? How can you create the right incentive for employees to not just comply but actively support security in the company?
Keep your systems and networks secure: Use and regularly patch data loss prevention (DLP), anti-malware software, anti-DDoS services, and other security software. For companies with BYOD policies, make sure employees’ devices are password protected, antivirus and DLP software is installed, and their data and online communication fully encrypted.
Enable two-factor authentication: Give your employees an extra layer of security by enabling two-factor authentication for their accounts.
Monitor user behavior: Make sure to keep track of system usage, external hard drives, and USBs, as well as which employees have access to sensitive work accounts–and if ex-employees still have access. Make sure you have proper policies and tools to manage offboarding of employees who leave the company, in particular when it comes to passwords.
In 2016, there were 82,000 reported “cyber incidents”–which includes ransomware, distributed denial of service attacks (DDoS) and more–negatively impacting organizations. In other words, there are over 82,000 reasons why the security of your business’ data should be a top priority.
Emmanuel Schalit is CEO of Dashline.
Sponsored posts are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact firstname.lastname@example.org.