IT professionals at U.S. companies waste 2.5 months a year resetting internal passwords.

Edward Gately, Senior News Editor

May 3, 2019

9 Min Read
Security Roundup
Shutterstock

It’s World Password Day, do you know if your passwords are strong enough to keep cybercriminals at bay?

OneLogin conducted a study of more than 300 IT decision-makers across the United States and found that IT leaders are putting business data at risk by not effectively managing employees’ passwords. Despite the fact that 91% report they have company guidelines in place around password complexity and 92% believe their current password protection measures and guidelines provide adequate protection for their business, the results suggest there is still more work to be done.

Key findings include:

  • IT professionals at U.S. companies waste 2.5 months a year resetting internal passwords.

  • 65% of respondents don’t check employee passwords against common password lists and 76% don’t check employee passwords against password complexity algorithms.

  • 63% don’t require special characters or minimum length.

  • 71% of corporate passwords don’t require numbers and 72% don’t require upper or lower case differentiators.

  • 63% percent have not implemented password rotation policies

Pedersen-Thomas_OneLogin.jpg

OneLogin’s Thomas Pedersen

Thomas Pedersen, OneLogin’s CTO, tells us most companies simply don’t have sufficient password hygiene practices to properly protect themselves.

“Certainly, security providers will see these statistics as a great opportunity, but it is important for companies to be careful about which partners they choose to work with,” he said. “A powerful platform is essential, but it’s also important to find a simple solution that will be easily embraced across the enterprise.”

Cybercriminals are always looking for the quick score, and it is a “virtual certainty” that every company without quality password protection will be compromised at some point, especially as the pace of business speeds up and the tech stack becomes increasingly complex, Pedersen said. The ramifications of a serious breach generally trend toward catastrophic in terms of lost and compromised data, he said.

“Companies that want to protect themselves against password theft must deploy multifactor authentication (MFA) and single sign-on,” he said. “MFA will ensure that a criminal cannot get access with a password alone and single sign-on will completely eliminate passwords from a larger number of applications. These solutions are available off the shelf from a number of cloud vendors and can be deployed in a matter of days without any specialized security personnel. There really is no excuse at this point.”

Malicious hackers are improving their tactics faster than enterprises are stepping up their security game, Pedersen said, adding that implementing better password practices alone does not solve the problem.

“The IT department in most companies only has visibility of a small part of the cloud apps being used, and that’s the blind spot to focus on,” he said. “Only by implementing a companywide identity and access management initiative in collaboration with the end users can companies hope to protect themselves against password-related breaches.”

To commemorate World Password Day, the Cyber Threat Alliance (CTA) released its joint analysis on securing edge devices, including research from Sophos, that reaffirms the importance of improving password strength and management.

Andrew Brandt, Sophos principal researcher, tells us the message of World Password Day appears to be that passwords are an inadequate means to protect sensitive data and that people should adopt two-factor (or multifactor) authentication more broadly across society and not just in workplace or enterprise environments.

“While that’s a laudable goal and worthy of the effort to push people that way, a lot of our research focused on a variety of devices that, inherently, do not allow for a two-factor authentication method at all,” he said. “There is no way, for example, to enable MFA on a …

… home router or a system that manages smart light bulbs if the vendors that make those products do not provide that feature themselves. It’s an unfortunate catch-22 that the devices which could stand to benefit the most from MFA are also the ones which are least likely to allow users to set that up.”

Brandt-Andrew_Sophos.jpg

Sophos’ Andrew Brandt

In studying the passwords most often used by criminals, Brandt said what struck him was that even complex-looking passwords that floated to the top of the list appeared to be default passwords assigned to large ranges of devices from particular vendors.

“I think it’s safe to say that even if the factory-installed password is long and complex looking, if each device does not have a unique password, then even those long, complex passwords will eventually make it into the lists of criminals who throw everything at the wall just to see what sticks,” he said.

Gavin Millard, Tenable‘s vice president of intelligence, said World Password Day originally was introduced to raise awareness of the importance of creating strong passwords, and “that worked!”

Millard-Gavin_Tenable.jpg

Tenable’s Gavin Millard

“However, with the sheer volume of data breaches where users’ passwords are stolen and sold on the dark web, the issue is less about creating strong passwords or phrases and more about educating people of the need for a unique code for each online account,” he said. “Considering millions are still using 123456 as a password, the chances of changing password behavior is nothing short of a miracle. Instead, I advocate the use of password managers that create and store complex passwords, with some capable of alerting users when compromised passwords are found in data breaches. So on World Password Day, instead of improving your complex recipes for password success, do yourself a favor and automate.”

Qualys Strengthens Cloud Agent Platform

Qualys has unveiled its new Cloud Agent Gateway (CAG), a major extension of its Cloud Agent Platform aimed at simplifying large-scale deployments across on-premises and hybrid cloud environments.

The release of CAG enables customers to: secure connectivity of cloud agents on assets in restricted networks to the Qualys platform without need to open access for each asset to the platform; eliminate the deployment, management and maintenance of third-party proxies or secure web gateways for cloud agent installations at scale; and optimize the bandwidth utilized by large cloud agent deployments.

Karun Malik, Qualys‘s vice president of strategic alliances and channel development, tells us the platform will get MSSPs to scale their security services to large-scale cloud agent deployments, and extend their monitoring services into security enforcement with Qualys patch management.

Malik-Karun_Qualys.jpg

Qualys’ Karun Malik

“MSSP’s have large scale multitenant deployments across global customers, and our gateway architecture fundamentally addresses bandwidth optimization across such large complex deployments,” he said.

The recently introduced Qualys PM Cloud App uses cloud agents to deliver operating system and more than 300 third-party application patches on IT assets across on-premises, cloud and endpoint infrastructure. CAG allows fast delivery of these patches to these assets in their environment by caching the downloaded patches and locally delivering them to the assets in the local network, according to the company.

Acquiring vs. Developing Innovation

A new hypothesis by Strategic Cyber Ventures (SCV), a cybersecurity venture capital firm, shows an increasing amount of …
… innovation is being acquired as opposed to developed in-house through R&D.

The firm pulled the cash and short-term investment balances of more than 30 publicly-traded cybersecurity companies over a five-year period, excluding businesses that are divisions of major firms such as Microsoft, Cisco and IBM, and private equity firms that have invested heavily in cybersecurity. This balance has nearly doubled since heading into RSA 2019 and is on a steep upward trajectory.

“This trend is great news for cybersecurity startups and investors alike, as it is potentially indicative of many more acquisitions in the future,” it said.

SCV calculated R&D spending as a percentage of revenue for 30 publicly-traded companies over a 10-year period and found that R&D as a percentage of revenue increased during this period, demonstrating that some of the largest cybersecurity companies are actually spending more on R&D over time. Some of the companies are top performers in public markets such as Okta and Rapid7, while others, such as Carbon Black, are considered the next generation of cybersecurity companies by industry experts.

Those spending less on R&D appear to be larger publicly-traded cybersecurity companies that thrived in previous generations of cybersecurity products such as firewall, intrusion detection systems and antivirus, according to SCV.

“After reviewing the data, it appears, and now makes sense, that these strategies are not mutually exclusive,” it said. “In a constantly evolving and competitive space, these companies have opted to take a dual-pronged approach, both acquiring innovation as well as developing new technologies in-house. However, I still believe that startups are more scrappy, nimble, and will be responsible for the truly game-changing technologies in this space and will be plucked up by larger cybersecurity companies.”

Infosec Expands Channel Program

Infosec has enhanced its partner program for MSPs, MSSPs, VARs and OEMs. In addition to its security awareness and training solution Infosec IQ, the program now includes both Infosec Skills and Infosec Flex to provide across-the-board, full-spectrum training needs for the clients of channel partners.

Nobers-Mike_Infosec.jpg

Infosec’s Mike Nobers

“Organizations face two primary security training issues today: Their employees are not trained properly about cybersecurity and their security and IT staff are undertrained,” said Mike Nobers, Infosec’s director of global channel sales. “This is due to ever-changing security techniques and employees being recruited away to other companies because of the qualified security pro shortage. Infosec partners can now speak to this bigger issue across their client’s organization with Infosec IQ for employee security awareness training, plus Infosec Skills and Infosec Flex to address retaining and growing their security and IT teams,.”

With Infosec IQ, partners can help clients build a cyber-alert workforce equipped to recognize, avoid and report suspicious activity, such as phishing. The Infosec Skills and Infosec Flex platforms are designed to ensure the client’s IT and security team’s skills are scaled to outsmart the latest threats and build defenses to counter tomorrow’s threats.

The partner program offers: automation tools to make it easy to build security awareness training programs to deliver the right content to the right learner at the right time; delegated administration that allows management of multiple clients’ security awareness programs from one platform; automatic report generation to make it easy to track and share training performance; and customizable learning experiences via more than 300 modules, including critical training in phishing, suspicious hosts, ransomware and password security.

Read more about:

MSPs

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like