The biggest threats to your company’s cybersecurity come from the inside, and many of them revolve around poor password practices. The Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses, commissioned by Keeper Security, found that nearly half (47%) of cyberattacks against SMBs in the past year involved compromised employee passwords.
SMB leaders admit to being vexed by employee password issues. Respondents to the Ponemon survey cited employee passwords being stolen or compromised (70%) and weak passwords (61%) as their top two pain points. Yet 54% admitted having no visibility into employee password practices.
Here are the five biggest mistakes and bad password practices that employees worldwide are engaging in, likely without their employers knowing about it.
1. They use weak passwords
Left to their own devices, and absent a password manager that can generate and store strong passwords, many people use passwords that are very weak or easy for a cybercriminal to guess, such as password123, their birthdate, or their child’s name.
2. They share their passwords
Employees sharing passwords with each other may seem harmless on the surface; after all, everyone works for the same company, right? But what happens if an employee leaves the company? Shared passwords mean that former employees still have access to their ex-employer’s systems even if their own credentials were disabled. Password-sharing also opens up the company to cyberattacks if a current employee goes rogue and decides to misuse their access, and it negates any attempts to enforce role-based access control (RBAC).
3. They reuse passwords
The new Disney+ streaming service launched last month, and stolen account credentials went up for sale on the dark web almost immediately. While victimized users — who cybercriminals promptly locked out of the stolen accounts — were taken by surprise, such account hijacking is a common occurrence. Weak passwords and password reuse are to blame, and there is a high probability that at least some of the stolen Disney+ passwords can get cybercriminals into the victims’ work accounts as well.
4. They don’t keep their passwords secure
Passwords written on sticky notes and left in plain sight are a frighteningly common sight in office environments. Employees may also store passwords in documents or spreadsheets, often handily named “passwords” so that anyone who accesses their terminal can quickly find and abscond with them.
5. They don’t use multi-factor authentication
Multi-factor authentication (MFA) or two-factor authentication (2FA) prevents cyberattacks by preventing malicious actors from accessing accounts and systems even if they’ve stolen a password; they still need the second factor to get in. Likewise, 2FA prevents password-sharing. However, as the prevalence of account hijacking illustrates, too many people don’t enable 2FA if they’re not required to do so.
Password managers prevent these problems
Half of the respondents to the Ponemon survey reported that their companies have no policy on employee password use, and only about one-third of those that do strictly enforce it and require the use of a password manager.
A robust password manager like Keeper Business prevents employee password mistakes by giving companies the ability to establish and enforce good password practices company-wide. Keeper is affordable, easy to set up and manage, and offers enterprise-level protection that scales with your business, making it an ideal solution for all organizations, from resource-strapped SMBs to multinational corporations.
For more information on employee habits, download the 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report.