It seems some of us are, in the year of our lord 2021, still reusing the same password for multiple sites, plugging personal gear into work networks, and perhaps overly relying on browser-managed passwords, judging from this poll.
ThycoticCentrify, formed from a merger between two computer access management firms, said it surveyed about 8,000 people, and reports just under a quarter admitted they reuse passwords across multiple websites – a cybersecurity no-no because it opens you up to credential stuffing.
Meanwhile, about half of those working for large (5,000+ headcount) companies said they hadn't received cybersecurity training in the past 12 months, even as the vast majority of all those polled said they'd seen an increase in the volume of phishing messages their org had received over the past year.
Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, said: "People working in the cybersecurity sector know how their colleagues should behave when it comes to keeping their devices safe and protecting the wider company. But are these messages getting through?"
Research carried out by Sapio Research for the biz found that a global sample (including a thousand people from each of the UK, US, Germany, Australia and New Zealand) were doing potentially risky things, such as connecting personal devices to corporate networks – something that a quarter (23 per cent) of respondents said they had done. Coincidentally, 21 per cent of respondents said they were C-suite execs, company owners, or managing-director level.
- Spam is Chipotle's secret ingredient: Marketing email hijacked to dish up malware
- Israeli authorities investigate NSO Group over Pegasus spyware abuse claims
- Here's a list of the flaws Russia, China, Iran and pals exploit most often, say Five Eyes infosec agencies
- 'Woefully insufficient': Biden administration's assessment of critical infrastructure infosec protection
Whether this included BYOD devices wasn't made clear in the resulting study. Nonetheless, uncontrolled personal devices certainly represent a level of risk.
The use of browser-stored passwords was also called out as a potential security risk by ThycoticCentrify, with a third of respondents apparently saying they rely on their web browser to manage their passphrases. It argued these stored credentials would be a jackpot prize for anyone compromising a PC, phone, or tablet.
"More than a third of employees continue to save passwords within their internet browsers on all of their personal and work devices," said Carson. "By cracking only one of those devices, an attacker can easily access all the passwords stored within the user’s browser. This makes it so much easier for an attacker to elevate privileges without being detected and gain access to the user’s email, company cloud applications, or even sensitive data.
"If the employee has saved multiple passwords within the internet browser, an attacker can readily see whether they are all the same or simple variations such as one character difference."
Using a password manager, even one built into a browser, with complex, randomly generated passwords is arguably better than asking people to memorize weak or guessable ones or reuse the same credentials over and over for multiple services. That said, ThycoticCentrify's argument appears to be that companies should move beyond relying just on passwords: they should consider better ways to reliably and securely authenticate users when accessing resources, using things like multi-factor authentication.
Again, ThycoticCentrify is a password and access management outfit. This is like a lock maker telling you to buy better locks and keys, like the ones it sells. Each organization should devise its own threat model with regard to passwords, authentication, and scope of access. You can read up on the pros and cons of personal password managers here, here, and here.
Finally, though most people responding to the survey acknowledged their business could be targeted by cyber-criminals, a mere 16 per cent of respondents felt their business was at a "very high risk" of catching the wrong end of a cybersecurity attack. The spray-and-pwn tactics of ransomware gangs, such as the crews who targeted ageing Accellion file-transfer appliances, hasn't quite sunk in for all. ®