Intelligent CISO Issue 9 - Page 41

E R T N P X E INIO OP Strengthening password security in the workplace Despite weak, stolen or reused passwords being the main cause of breaches, IT executives still lack control over password security in their organisations. With GDPR in force and high-profile breaches now consistently making headline news, how can organisations implement a change in culture to strengthen security? Rachael Stockton, Director of Identity and Access Technologies at LogMeIn, makers of LastPass, tells us more. . . . H How much of a factor is poor password practice when it comes to data breaches? According to the Verizon Data Breach Investigation Report, 81% of breaches are caused by stolen, re-used or compromised passwords. That is a huge amount. And stealing these passwords can be done in a variety of ways – phishing, guessing etc. When a breach happens, a bunch of passwords are stolen. With 59% of people reusing those stolen passwords and because computing power is so cheap right now, hackers can literally just run through all the data and passwords they stole from one site and try them against multiple, more valuable sites (think your banking site). And they’re bound to get hits that way. There’s a huge risk with any data breach, whether it’s a consumer organisation, www.intelligentciso.com | Issue 09 Rachael Stockton, Director of Identity and Access Technologies at LogMeIn such as a retail store or a bank, those passwords could be valid in a work setting. And so, passwords are really that first step in protecting yourself. Research shows that people know there are risks with using the same password and yet, they still do it – why do you think that is? In a survey we conducted earlier this year, 15% of people said that they would rather do household chores than change their passwords. I think there are a few elements to this attitude. There’s the ‘it’s not going to happen to me – I’m not important enough’ way of thinking. Millennials, in particular, tend to think ‘what are they going to steal from me?’. And then I think the other element is that, even when people find out that something like an app has been breached, only 50% of people take the action to change their password. So, I think the reason is that ‘this isn’t going to happen to me’ justification, and at the same time, there’s also a ‘it’s going to happen, they probably have my stuff already’ attitude. And I think that’s sad – there’s a resignation there. I think in a way that goes back to the question – ‘is there an acceptance that passwords are going to be stolen, that breaches are going to happen?’ And if so, is that really ok? I don’t think it is. We have to make it easier for people to manage their passwords rather than using the same one and just changing that last number. Because we know people are using the same simple passwords all over; they’re 41