Despite weak, stolen or reused passwords being the main cause of breaches, IT executives still lack control over password security in their organisations. With GDPR in force and high-profile breaches now consistently making headline news, how can organisations implement a change in culture to strengthen security? Rachael Stockton, Director of Identity and Access Technologies at LogMeIn, makers of LastPass, tells us more….
How much of a factor is poor password practice when it comes to data breaches?
According to the Verizon Data Breach Investigation Report, 81% of breaches are caused by stolen, re-used or compromised passwords. That is a huge amount. And stealing these passwords can be done in a variety of ways – phishing, guessing etc. When a breach happens, a bunch of passwords are stolen. With 59% of people reusing those stolen passwords and because computing power is so cheap right now, hackers can literally just run through all the data and passwords they stole from one site and try them against multiple, more valuable sites (think your banking site). And they’re bound to get hits that way.
There’s a huge risk with any data breach, whether it’s a consumer organisation, such as a retail store or a bank, those passwords could be valid in a work setting. And so, passwords are really that first step in protecting yourself.
Research shows that people know there are risks with using the same password and yet, they still do it – why do you think that is?
In a survey we conducted earlier this year, 15% of people said that they would rather do household chores than change their passwords. I think there are a few elements to this attitude. There’s the ‘it’s not going to happen to me – I’m not important enough’ way of thinking. Millennials, in particular, tend to think ‘what are they going to steal from me?’.
And then I think the other element is that, even when people find out that something like an app has been breached, only 50% of people take the action to change their password.
So, I think the reason is that ‘this isn’t going to happen to me’ justification, and at the same time, there’s also a ‘it’s going to happen, they probably have my stuff already’ attitude. And I think that’s sad – there’s a resignation there. I think in a way that goes back to the question – ‘is there an acceptance that passwords are going to be stolen, that breaches are going to happen?’
And if so, is that really ok? I don’t think it is. We have to make it easier for people to manage their passwords rather than using the same one and just changing that last number.
Because we know people are using the same simple passwords all over; they’re writing them down on some sort of sheet or post-it note or keeping it on an Excel file on their phone or on their desk, which can easily be infiltrated.
We must figure out an easier way. I am a believer that at some point we will find something that’s better than passwords, but that’s not going to be in the near future so we need to be able to help and work better to secure them today.
Is there a barrier between the ‘techies’ and end users?
I think there’s a lot of friction between the two and I know that IT is really frustrated with that too. They don’t want to be considered the bad guy, they don’t want to be thought of as somebody who is slowing down the business. They want to figure out how they can enable the business. But they’re also responsible for weighing the risks.
They’re stuck between a rock and a hard place. But that’s where having a simple solution that people can actually use, both in their professional and personal lives, can help. Not only are you changing behaviour at work, but you can change employee’s behaviour at home.
And this really is a behavioural change. It’s about us as human beings and what we do and how we do it. This remains a challenge for IT, but when that problem can be met and overcome, you have a lot of success.
How does LogMeIn’s LastPass password manager help to secure remote workforces and those using BYOD?
I think without a doubt both of these are huge trends that are not going to change.
With these, you have a lack of control again from IT. Before the advent of BYOD, IT only had to worry about protecting the company perimeter. But now, there are the cloud apps, the devices, there are many employees, and they’re everywhere. So as a CISO or Director of IT, you’re thinking “now how do I do it?”
Having an enterprise grade password manager in place ensures employees have secure access to their passwords no matter what device they’re on. Plus,they are able to autofill passwords on any device and into mobile apps. Having this consistent experience across devices makes using password managers much easier.
And again, it goes back to human behaviour. If the user can have a consistent experience with a password management tool at work, at home and on their device, they will eventually change their behaviour. And for IT, it will at least relieve some of the pressure on employees to remember all this stuff.
Will passwords ever be replaced?
I think what will happen first, is that passwords will be remediated, something will take their place. They’ll be made a little bit more invisible to the end user.
Even right now, think about using your face as an ID or using your fingerprint for biometric authentication. In many cases there are still passwords behind that, but this is just putting a much easier user interface in front of it. So, I would expect there to be many more advances in technology, that makes accessing things easier, but actually replacing the password, will take a very long time. And so, until then, let’s just make it as easy as possible to manage passwords.
One important thing for the enterprise is, and we talked about this a lot, is consumers or end users – they’re critical, if you don’t have them, you have nothing.
But there is also an element of control. It’s what we bristle against with the enterprise. And I think one thing that password management systems like LastPass do give, is a much better sense of control over your organisation’s password polices.
You’re able to set a variety of policies and get an organisational security score, so you can monitor where you are and then work to improve it by reaching out to various employees and groups.
Having that visibility and control also increases awareness of the problem and once you’re aware, that’s when action becomes much easier. If you don’t have this information, how do you actually inspect what you can only expect?
How would you summarise the main benefits of LastPass for enterprise customers?
It’s really about being able to close the other 50% of the windows and doors of the organisation. I also think being able to report out on that, being able to understand where you are and see that improvement, is also very critical.
There are now vendors who can produce security scores, like credit scores. And with us, we have a password score. As you look at the pressures particularly large enterprises face when it comes to risk and risk mitigation, anything you can do to quantify that risk, and then also prove you are improving over time on that, is really critical to both maintaining your funding and getting more of it.
Is there any best practice guidance you would give to CISOs about password management?
It’s ok to admit you have a problem. It’s ok. You’re not alone. That’s number one.
And two – you have to recognise that it’s bigger than just your organisation. This has to do with people’s personal habits as well as professional habits.
It might seem like a good answer to your problem is to make password requirements harder in order to protect all of the systems – cloud, on-prem, etc. But I think all you’re going to get there is rebellion.
So, keep it simple; complexity is not the answer. As you look at passwords, recognise that you only know less than half of what apps your users are using. So whatever solution you choose, you want your employees to feel comfortable bringing a new tool into their workflow.
I think that’s some of the biggest advice.
And then work with the vendor on that rollout, as there are a lot of innovative things you can do – everything from office posters to games, to putting shared passwords in so people actually have to get access to it and log in so they can get that information.