Security Roundup: World Password Day, Qualys, Infosec, Innovation via Aquisition

It’s World Password Day, do you know if your passwords are strong enough to keep cybercriminals at bay?

OneLogin conducted a study of more than 300 IT decision-makers across the United States and found that IT leaders are putting business data at risk by not effectively managing employees’ passwords. Despite the fact that 91% report they have company guidelines in place around password complexity and 92% believe their current password protection measures and guidelines provide adequate protection for their business, the results suggest there is still more work to be done.

Key findings include:

• IT professionals at U.S. companies waste 2.5 months a year resetting internal passwords.
• 65% of respondents don’t check employee passwords against common password lists and 76% don’t check employee passwords against password complexity algorithms.
• 63% don’t require special characters or minimum length.
• 71% of corporate passwords don’t require numbers and 72% don’t require upper or lower case differentiators.
• 63% percent have not implemented password rotation policies

OneLogin’s Thomas Pedersen

Thomas Pedersen, OneLogin’s CTO, tells us most companies simply don’t have sufficient password hygiene practices to properly protect themselves.

“Certainly, security providers will see these statistics as a great opportunity, but it is important for companies to be careful about which partners they choose to work with,” he said. “A powerful platform is essential, but it’s also important to find a simple solution that will be easily embraced across the enterprise.”

Cybercriminals are always looking for the quick score, and it is a “virtual certainty” that every company without quality password protection will be compromised at some point, especially as the pace of business speeds up and the tech stack becomes increasingly complex, Pedersen said. The ramifications of a serious breach generally trend toward catastrophic in terms of lost and compromised data, he said.

“Companies that want to protect themselves against password theft must deploy multifactor authentication (MFA) and single sign-on,” he said. “MFA will ensure that a criminal cannot get access with a password alone and single sign-on will completely eliminate passwords from a larger number of applications. These solutions are available off the shelf from a number of cloud vendors and can be deployed in a matter of days without any specialized security personnel. There really is no excuse at this point.”

Malicious hackers are improving their tactics faster than enterprises are stepping up their security game, Pedersen said, adding that implementing better password practices alone does not solve the problem.

“The IT department in most companies only has visibility of a small part of the cloud apps being used, and that’s the blind spot to focus on,” he said. “Only by implementing a companywide identity and access management initiative in collaboration with the end users can companies hope to protect themselves against password-related breaches.”

To commemorate World Password Day, the Cyber Threat Alliance (CTA) released its joint analysis on securing edge devices, including research from Sophos, that reaffirms the importance of improving password strength and management.

Andrew Brandt, Sophos principal researcher, tells us the message of World Password Day appears to be that passwords are an inadequate means to protect sensitive data and that people should adopt two-factor (or multifactor) authentication more broadly across society and not just in workplace or enterprise environments.

“While that’s a laudable goal and worthy of the effort to push people that way, a lot of our research focused on a variety of devices that, inherently, do not allow for a two-factor authentication method at all,” he said. “There is no way, for example, to enable MFA on a …