Despite education and constant reminders that security is everyone’s responsibility, Lori MacVittie, Principal Threat Evangelist, F5 Networks, says that the most basic of security practices is being completely ignored when it comes to apps and passwords.
“There’s an app for that” has become reality rather than just a catchy marketing phrase. According to a compilation of mobile app statistics, the average person now has more than 80 apps installed on their phone. That same person interacts with an average of nine of those apps every day and thirty over the course of a month.
Thanks to an insatiable appetite for data and visibility into consumer habits, most of those apps probably require an account. Whether it’s tied to a social media account or stand-alone, most apps encourage registration in order to access the most useful or interesting capabilities – like sharing what level of Candy Crush you’re stuck on today.
Those apps no doubt include social media. According to even more data (probably mined from the apps themselves), we had an average of 8.5 social media accounts in 2018. That’s nearly double the 4.8 average seen in 2014.
Now here’s where it gets interesting. The average number of email accounts per Internet user was either 1.8 or 2.5 in 2018, depending on whether you cite data from Radicati or DMA, respectively. In either case, the number of email addresses per user is significantly lower than the number of social media accounts and apps used on a daily or monthly basis.
Which makes sense. Typically, we don’t maintain a one-to-one relationship between social media accounts and email addresses. We have grown as attached to our email addresses as we have our phones; the DMA research found that 51% of people have held the same email address for more than 10 years. I’ve held the same personal email address for more than 20 years and my corporate address for almost 13 now.
You can imagine that those two email addresses are associated with way more than the average number of apps and social media accounts.
Also unsurprising is the number of times my personal email address has turned up on a list of addresses compromised by some information breach. It’s a lot. I suspect given the statistics that most people can say the same thing. And if we project out the nearly linear growth of social media accounts for four more years, it’s likely that number will grow along with the number of available targets.
Now, think about that and then consider these findings from password management vendor, LastPass:
- 43% of the top 30 domains employees use are also popular consumer apps (think Dropbox, for example)
- 50% of people do not create different passwords for personal and work accounts
If that’s troubling, wait – there’s more. The same research found that six passwords were shared by the average employee. That’s six passwords shared with co-workers.
Take a deep breath, security pro.
Despite education and a constant litany of reminders that security is everyone’s responsibility, not only is the corporate-consumer barrier being breached on a regular basis but the most basic of security practices is being completely ignored when it comes to apps and passwords. The Verizon Data Breach Investigations Report found that over 70% of employees reuse passwords at work.
This why it’s important for organisations to recognise and institute better protection of its own corporate assets. Corporate assets that are usually accessed by one of 2.5 email addresses. The use of multi-factor authentication (MFA) and instituting password complexity requirements are among the best defences against attackers easily brute forcing their way into lucrative sources of data. It’s also one of the best defences against the sharing of passwords because MFA goes one step further and requires an additional step – one that most co-workers can’t complete.
With every account that’s exposed, with every app that joins the corporate ranks, risk is increased. Risk from employees sharing passwords, risk from static email addresses with multiple passwords and risk from attackers who know all these statistics and the best ways to exploit them.
MFA is not a panacea, but it is a good start on the road to addressing a risk that’s only going to continue to grow along with the number of apps on our phones and in use across personal and corporate domains.