The reuse of passwords is a ubiquitous problem. In many ways, it’s unsurprising that employees so often resort to using the same password more than once, given that remembering multiple strong and unique passwords is difficult. However, the practice gives rise to serious security risks, and these risks are even greater when passwords are reused between corporate and personal applications.
My1Login’s recent survey of 1,000 business leaders and 1,000 employees found that nearly two thirds (62%) of employees reuse personal passwords for business applications or vice versa. Even staff who have undergone cyber security training at work report this practice at a similar rate. This is a problem that needs to be fixed, and cyber security training is not doing the job. So, how else can organisations protect themselves from the vulnerabilities associated with passwords?
The risks of reusing passwords are well documented. When the same password is used across multiple accounts, the damage potential of a cyber-attack increases as criminals can access multiple accounts when just one is breached. If an employee reuses their passwords across personal and business accounts, organisations’ vulnerability to cyber-attacks increases further. Personal accounts and applications lie beyond the visibility and protection of business IT teams, making them potentially more vulnerable to attack.
Despite these risks, a staggering 87% of employees reuse passwords across business applications. And 62% of office workers reuse passwords between business and personal accounts. The latter practice is clearly a problem for business leaders, with 70% reporting that it concerns them.
While poor password habits are prevalent throughout all industries, there is some variation across sectors. Employees in healthcare and education report particularly high rates of password reuse, at 94% and 91% of employees respectively. This compares with only slightly lower rates of password reuse in the government and public services sector (83%) and in software and technology (77%). Similarly, the use of personal passwords for business applications, or vice versa, is higher in the education sector (75%) and healthcare (68%) than in professional services (55%) and technology and software (45%). All industries, and education and healthcare, in particular, need to address these behaviours and the risks they pose.
Typically, organisations’ first port of call to address the risks associated with poor password behaviour is cyber security training. Yet, our research indicates that training has a limited impact and fails to bring about a meaningful reduction in the behaviours that have the potential to compromise corporate data.
We found that cyber security training has a particularly limited impact on the habit of reusing passwords across business and personal applications. Use of personal passwords for business applications and vice versa is reported by 63% of office workers who have received ‘a little’ cyber security training, compared to 61% of those who have not received any training. For those employees who have received ‘a lot’ of training, the behaviour is reported by only a slightly lower proportion of employees (57%).
Cyber security training has a marginally greater impact on the general reuse of passwords across work applications, but it still doesn’t deliver the expected return on investment. While 91% of office workers who have received no training reuse their passwords at work, 85% of employees who have received training reuse their passwords. 78% of employees who have had ‘a lot’ of cyber security training still reuse their passwords. With poor password habits endemic and cyber security training failing to solve the problem, what other options do organisations have?
If employees’ behaviour is at the core of the problem, the obvious solution is to take employees out of the equation as much as possible. The responsibility for passwords needs to be shifted away from the individual worker and back to organisations. Making this transition removes the burden of passwords and their associated vulnerabilities from employees and simultaneously places organisations back in control of their security.
One way to make this change is to implement a solution that removes passwords from the hands of users, enabling the enterprise to seamlessly transition to passwordless authentication where employees no longer have to physically enter a password every time they log in to an application. My1Login gives employees this passwordless experience, enabling them to be quickly authenticated for any app they wish to access. Not only does this improve organisational security by removing the vulnerabilities caused by poor password habits, but it also improves employees’ productivity as they no longer need to worry about using multiple unique passwords to protect corporate data. With 84% of employees reporting their frustration at password requirements, it’s clear that employees, as well as organisations as a whole, would welcome such a change.
Are you wasting budget on cyber training? Read more on the limited impact of cyber training and what you can do about it!