Living Below the Security Poverty Line Puts You at Risk
Managing risk is like paying utility bills... if you’re not doing it then you’re going to be left out in the cold. That sounds rather harsh, but 85% of attacks are the result of basic security shortcomings. If you don’t want to be left out in the cold, read on to see why living below the “security poverty line” is so risky.
The term “Security Poverty Line” refers to the line between organizations that do and do not have the minimally acceptable level of security needed to fend off an “opportunistic adversary”. These are the type of attackers that capitalize on basic weaknesses in a businesses IT security.
There are numerous ways a business can end up below the “security poverty line.” They could lack a user security awareness training program, they may have forgotten that security is a process and not a product, they might not even have any semblance of access control... In this post, we’re going to look at how sub-par password management can put your business at risk.
Let’s start by looking at the results of a few studies. According to the 2014 Trustwave Global Security Report, 31% of breaches are the result of weak passwords.
That sounds like a lot, and it is, but when you consider how weak these passwords are and how they are managed, it’s easy to see how that number could be much higher.
For example, in a study done by the Pew Research Center 21% of the adults surveyed self-reported having at least one of their accounts compromised.
Now, 21% is bad, but this is made worse when you consider how many people reuse their passwords across all of their accounts, regardless of if they were professional or personal.
Some studies, like those comparing the Sony and Yahoo breaches, found that upwards of fifty percent of users reused their passwords across websites. According to one study, the percentage of users that reused their username and passwords across the two websites was around 59%, and those were just the users that used the same email.
If we accept that both of these statistics are accurate representations of end-users as a whole, then it can be inferred that roughly 12% of any businesses users have their passwords out in the wild.
Those are the passwords they could be using to log in at work...
...and that's an awfully high amount of risk.
Now, how can you help to mitigate this risk?
Consider implementing strong password policies that enforce password strength (complexity requirements), age and history. This way, passwords are typically much stronger, and are not reused. Then, consider finding places where you can completely replace the need to use a password. In many cases you can use stronger authentication options like multi-factor authentication (MFA), or single sign-on (SSO) to gain access to many on-premise and cloud-based applications.
Of course, when that’s not an option, a good password management system can help. Employees hate having to remember passwords and if you can help to alleviate their burden with easy to use tools, it can significantly raise your business towards and/or above the Security Poverty Line. How a password management system can accomplish that is an interesting discussion in itself.