Weak passwords putting UK businesses at risk of losing millions

A new study by OneLogin, the identity management provider bringing speed and integrity to the modern enterprise, reveals that 85% of IT decision makers feel they have adequate password protection measures in place.

But in reality, most IT decision makers are failing to enforce even the most basic password requirements, putting their businesses at significant risk of data breach. In fact, less than a third (31%) require employees to rotate passwords monthly, and a further half (52%) admitted to only requesting password rotation once every three months.

>See also: How much control do IT executives have over password security?

The study, which surveyed more than 600 UK-based IT decision-makers with influence over their business’s IT security, highlighted that although many businesses require passwords to be a minimum length, a mix of upper and lower case, and to use numbers, the majority are failing to enforce any further password complexity requirements on employees. Only 37% of those surveyed ask employees to check their passwords against common password lists and 39% don’t even require employees to use special characters.

When it comes to authenticating users for internal and external corporate applications, the results are just as concerning. With less than a third (30%) implementing multi-factor authentication (MFA) as a mandatory authentication requirement for internal applications, and 26% for external applications, organisations are simply relying too heavily on weak password requirements, leaving organisations and valuable corporate data easily accessible to cybercriminals looking for the easiest way into the corporate network.

These security shortcomings can lead to significant costs, since the average cost for a UK company to remediate a data breach is £2.5 million, according to IBM Security’s 2017 Cost of Data Breach study.

>See also: Password ignorance will lead to cyber attacks

These costs include unexpected loss of customer business, product discounts, forensic and investigative activities, and legal expenditures. And once GDPR comes into effect in May 2018, penalties related to data breaches will start at €10 million and can go up to as much as €20 million or 4% of their annual turnover, depending on which is higher.

“The traditional password is the stalwart of cyber security, but our research has shown just how complacent IT decision makers have become about this vital, powerful, yet understated security measure.”

“Companies need to be more forward-thinking when it comes to identity and access management by enforcing strong passwords and using modern multi-factor authentication,” said Alvaro Hoyos, chief information security officer at OneLogin.

Businesses should consider the following to reduce their risk exposure due to weak passwords:

 Choose applications that support SAML or OpenID Connect for user authentication. Applications are the front door to company data; when an app supports SAML (Security Assertion Markup Language) or OpenID Connect, it lets IT staff ensure all users have strong passwords.

>See also: It’s time to get rid of the password for more secure protection

 Use modern multi-factor authentication. It’s not enough to use any MFA technology to send one-time passwords (OTPs) since older MFA technologies like SMS are easily compromised. Modern MFA ensures that OTPs cannot be stolen or re-routed to a hacker-controlled account.
 Strengthen your phishing defences. Most cyber attacks start with phishing emails. Train your employees how to spot these emails, and regularly run phishing assessments to measure their ability to do so.

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...