CEO Series: Stop blaming employees for bad passwords
(Last updated on February 11, 2019)
Eight out of ten data breaches are caused by stolen and/or weak passwords. Cyber-crime is a large-scale business – it is as easy to try to attack 10 million accounts as 100. The stakes are higher than ever, and the latest threat is leaked password lists. Organizations that want to secure their business must have the right policies in place, and work proactively with password management.
Passwords have proven to be the weakest link time and time again. The global reach of the Deloitte breach is a perfect example. According to The Guardian, the hacker compromised Deloitte’s global email server by hacking a password to an administrator account that essentially granted unrestricted access to the information of more than 200,000 employees, as well as unknown customer information.
Are passwords a problem for all companies? Yes, since users stick to the same password patterns when choosing passwords. After all, bring your own password existed as a practice long before we starting talking about bring your own device.
Lists of the most common passwords reveal that most people share the same bad passwords. That’s why classic passwords like “password” and “123456” top the list. The belief that people will choose better passwords in their workplace, than in their private lives, is a pipe dream.
As a private person, I can choose to ignore the security risk, but at work my employer needs to prioritize IT security to protect business interests. Employers need to understand the correlation and risks.
Breaches via hacked passwords affect both large and small companies. The potential costs are not just financial, but also reputation. Password complexity rules, such as requiring upper-case letters, special characters or numbers can sound like a solution. Unfortunately, it often gives a false sense of security as people follow similar patterns when choosing passwords.
Ultimately, preventing cyber-attacks is not the responsibility of individual employees. Let 2019 be the year where we stop blaming employees and require more of our authentication systems instead. A feasible solutions entails blacklisting the latest leaked lists to shift the burden away from end users. To learn more about password blacklisting, see Protecting your organization from the “Collection #1” leak.
The CEO Series blog is written by Marcus Kaber, the CEO at Specops Software since 2012. Marcus has 20 years’ experience driving growth in global software companies.