Passwords? On Post-its?
How retro! How circa Prince Williams!
You’d think we’d all know better, particularly after such memorable incidents as when passwords were left on sticky notes glued in the background during a TV interview – an interview concerning a cyber-attack, of course – broadcast live on the French TV channel TV5 Monde this year.
Alas, we do not know better.
There are far too many of us sharing passwords at work – be it on the infamous Post-it note glued all over the place, on scraps of paper strewn around desks, in unsecured spreadsheets, by email or by text.
It would be comforting to blame this all on those cursedly smooth-faced Millennials, but alas, we the wrinkled are only slightly less bad at keeping our passwords to ourselves.
According to a new report from password manager and digital wallet company Dashlane, a survey of 3000 people, evenly distributed between the US, the UK and France, found that 53% of US respondents have shared a password with a colleague.
The younger the employee, the more likely they are to think that the sharing economy includes passwords: 67% of respondents aged 16-24 said they’ve shared passwords; it drops to a still-dismal 59% in the age bracket of 25-34, 52% with 35-44-year-olds, and a still quite lame-o 46% of those 45-54.
When we’re not blabbing them all over cubicle land, here’s how we store our passwords:
- 62% of us keep them tucked away in our memory wetware
- 30% of us write them down
- 20% of us use a password manager
- 13% use a shared spreadsheet
- 8% reuse passwords – as in, they use one password for all systems
- 7% use email, texting or instant message
Guillaume Desnoës, head of European markets at Dashlane, feels OK about blaming callow youth for this situation.
The Register quotes him:
Our report reveals a lackadaisical approach to the management of company confidential data, which is being driven by the influx of 'millennials' entering the workplace.
Having grown up with the sharing culture of social media, this age group has become slightly casual when it comes to their security and this has the potential to have an impact in the business world.
If we choose not to beat up a particular age group, who can we pin the blame on for this soggy state of information security?
Management. Yea, that sounds good. Let’s give it a spin.
A large percentage of respondents – 44% – reported that they can still access accounts or subscription-based services at their previous employers, putting those companies at risk of unauthorised use of systems or social media hijackings.
This all boils down to weak password security policies. Or, well, no security policies at all – at least, not that employees are aware of.
Nearly 70% of respondents said that either their employer doesn’t have a password policy or they don’t know if their employer does or not.
Another new study, this one conducted at the Black Hat 2015 conference by Lieberman Software Corp., underscored the notion that management is dropping the ball on security.
The survey, of 150 IT security pros, found that 92% of them believe that cybersecurity drills are a good way to prepare staff for cyber attacks.
In spite of that, 63% admitted that their employers never run such drills, or, at best, only run them annually.
Only 11% of organisations carry out cybersecurity drills quarterly, while 26% conduct them every six months.
The study suggests that the infosec pros are warning executive management about the risks, but getting them to take action is another matter entirely.
10% of respondents said the budget wasn’t there to fix things; 12% said they couldn’t convince management to understand the severity of cyber threats; and a whopping 45% said “all of the above.”
The blame game
Between these two studies – both of which come from security vendors that obviously have reasons for putting a slant on the situation – we can see some people are blaming Millennials, while some people are blaming management.
But at the end of the day, we’re still stuck with 1) the fact that none of us apparently have cause to brag, and 2) the question of what can be done about a pervasive indifference to security.
Is more security education the answer? Or does security education even work?
At least one security big-wig recently advocated turning away from the wrist-slaps of mandatory security testing or public call-outs in favor of stripping people of their credentials if they can’t manage to get security right.
DefenseOne reported that Department of Homeland Security (DHS) CISO Paul Beckman said during a panel discussion at a cybersecurity event in Washington a few weeks ago that he sees users – even senior managers – click on email he rigs as phishing bait to see who’ll click on potentially unsafe links.
They don’t just screw up once, mind you.
Such people not only click on links; they also repeatedly input usernames and passwords even when a blatantly non-DHS sender requests them, he said – bad security hygiene that gets them nothing but a slap on the wrist:
There are no repercussions to bad behavior. There’s no punitive damage, so to speak. There's really nothing to incentivize these people to be aware, to be diligent.
Employees who fail to pass his rigged-email test are forced to undergo mandatory online security training.
What he’d like to see instead – “broader evaluations of their fitness to handle sensitive information”, the outcome of which could and should be revocation of their security clearance:
Someone who fails every single phishing campaign in the world should not be holding a [top-secret security clearance] with the federal government. You have clearly demonstrated that you are not responsible enough to responsibly handle that information.
What’s your organization doing to keep workers from sharing passwords or clicking on phishy email?
We don’t want your passwords, but if you care to share anecdotes, you know what to do: our comments section is due South.