Yubico´s State of Password Management and Authentication Security Behaviors Report paints a very bleak picture of corporate password management. The bleak picture mirrors multiple recent surveys which attribute the majority of data breaches to weak and compromised passwords.
Statistics taken out of context can give a misleading impression of corporate password management. For example, the statistic that 80% of data breaches are attributable to weak and compromised passwords (from the Verizon Data Breach Investigations Report) doesn´t differentiate between corporate data breaches and personal data breaches. Therefore, it is understandable if corporate security teams interpret the statistic as relating more to personal data breaches and adopting the approach “it will never happen to us”.
Unfortunately, that´s not the case. A survey conducted in 2021 found that corporate data breaches had increased almost 20% since the start of the COVID-19 pandemic – mostly due to poor corporate password management when employees worked from home. Incredibly, 79% of respondents to the survey did not change passwords when executives and managers with access to corporate accounts departed. This may have had something to do with 44% of respondents saying former employees had tried to access client databases and internal reports.
However, allowing former employees to continue accessing corporate accounts post-departure is not the worst example of lax corporate password management. According to Yubico´s recent State of Password Management Report (which surveyed IT professionals), 50% of respondents reuse passwords, 42% said their organization uses sticky notes to manage passwords, and only 46% of organizations support corporate password management strategies with two-factor authentication – a recognized way to mitigate the risk from email phishing attacks.
Five Best Practices for Corporate Password Management
You don´t need to be an IT security professional to acknowledge that if you don´t change passwords when employees leave, if you reuse passwords and rely on sticky notes for corporate password management, and you don´t protect business-critical accounts with two-factor authentication “it will happen to us”. With this in mind, we have compiled five best practices for corporate password management.
1. Implement a Password Manager
It is very likely that some within your organization are already using password managers – either browser-based solutions such as Chrome or Firefox, operating system solutions such as Apple Keychain, or vault-based solutions such as Bitwarden. Of these three types, vault-based solutions are best because they support cross-platform synchronization across all devices which means they can be used wherever there is an Internet connection – making them ideal for WFH employees.
2. Evaluate before You Commit
The primary purpose of evaluating a password manager before committing to a deployment is not to see how it works (vault-based password managers pretty much do the same thing), but to establish ease of use. If a password manager is too difficult to configure to your requirements, users could be given excessive permissions or blocked from accessing critical accounts. Similarly, if the end-user experience lacks simplicity, end users will look for ways to avoid using the password manager.
3. Personal Vaults or Plans?
Many corporate password management solutions enable end users to store personal login credentials in a separate personal vault; and while this can be useful for accelerating the adoption of a corporate password manager, end users may need reassuring that personal data saved in personal vaults remains confidential. Possibly a better alternative is to select a corporate password management solution that provides free premium or family plans for end users.
4. Enforce Password Policies
Although the Verizon “80%” statistic doesn´t differentiate better corporate data breaches and personal data breaches, it is better to be safe than sorry. Select a password manager with a password policy engine so you can stipulate the minimum length and complexity of each password used for corporate account logins. Some policy engines can also be configured to enforce the use of a password generator or two-factor authentication on some or all corporate accounts.
5. Schedule Vault Health Reports
Vault health reports alert organizations to weak and reused passwords for corporate accounts. Some also alert organizations to when passwords have been saved for unsecure websites (those with the prefix http:// rather than https://) and when a website offers a two-factor authentication service that has not been taken advantage of. Typically, you can change offending passwords with the click of a mouse and the new password will be distributed automatically to each authorized user´s password vault.
The Cost of Effective Corporate Password Management
The cost of effective corporate password management is very little. Not only are most enterprise subscriptions modestly priced (you will find typical subscription costs in this article), but also the time spent implementing and configuring the solution – and training end users how to use it – will be more than recovered by the reduced number of calls to the IT Help Desk for password resets. Gartner estimates 40% of calls to IT Help Desks are password-related, with each password reset costing around $70.
Compared to the cost of an avoidable data breach, corporate password management solutions are negligible. According to IBM´s 2021 Cost of a Data Breach Report, the average cost of a data breach is $4.24 million; and, like the previous reports reference in this article, the leading cause of data breaches are weak and compromised passwords. You can mitigate the risk of these events happening in your organization by following our five best practices for corporate password management.