The death of the password has been predicted for nearly two decades. Yet in 2023, the majority of organizations still use static credentials to control access to some of their most important digital assets. Why? Largely because of the cost and user resistance challenges associated with alternatives. Yet these same users pose a significant threat to corporate data and systems because they don’t know, or won’t learn how, to manage their passwords securely. The threat is real: in 2022 alone Microsoft logged 1,287 password attacks every second, amounting to more than 111 million per day.
As the dust settles on another World Password Day, organizations should assume that if they’re still using passwords, they are at high risk of suffering a significant data breach. The only way to mitigate this risk is by applying strong protection to that data, wherever it resides in the enterprise.
The insider strikes again
One recent report found that 84% of organizations consider authentication security to be a top priority today. They’re right to be concerned. Passwords present a massive target for threat actors: a key with which to unlock perimeter defenses and internal data stores with ease. Why bother with malware which could trigger security alarms when you can stroll through the front door masquerading as a legitimate user? It’s no surprise that stolen credentials account for over 40% of data breaches.
Why are passwords such a major security risk? A big part of the reason boils down to insider negligence. Put simply, employees often don’t use or manage them securely. There are several issues here:
Passwords are often easy to guess: A 2022 study found that nearly one in every 200 passwords is “112345.” It claimed that of the 50 most commonly used, 49 could be cracked in under a second using easy-to-use tools readily available on the cybercrime underground.
Passwords are often reused: One report estimates that as many as 60% of credentials are reused across multiple accounts. This means that if just one of those websites or apps is breached, hackers could feed the logins into automated software and try them simultaneously across other accounts, looking for a match — in “brute force” or “credential stuffing” attacks.
Users don’t update their passwords as often as they should: One study found that a quarter (26%) of global users have been using the same password for more than a decade.
Passwords can be breached, guessed or phished: Because they provide the keys to bypass corporate security measures, passwords are a major target. They can be breached en masse from organizations, phished individually from targets with elevated privileges, or “guessed” in brute force attacks like the ones described above.
Personal is becoming corporate risk: Many employees reuse passwords across work and personal accounts. That means if the latter are compromised, it could imperil corporate systems. The blurred boundaries between work and play can add other risks: one study found that over 70% of employees keep work passwords on personal devices
Even IT teams are guilty: A separate study found that nearly half (46%) of IT and security leaders still store corporate passwords in office documents like spreadsheets.
Mitigating the insider threat
If passwords and negligent users are combining to expose organizations to risk, what should IT leaders be doing in response? The simple answer is to layer up security controls to minimize the impact of password-related data breaches. This means network and endpoint monitoring tools designed to spot suspicious behavior early on, and steps like micro-segmentation to limit the “blast radius” of attacks. But fundamentally, these efforts should start with protecting the data itself.
At comforte we call this “data-centric security.” It starts with being able to continually discover and classify the data — not easy when it resides all over the enterprise in hard-to-reach places like the cloud, and is in a state of continuous flux. Then, strong protection must be added — ideally in a way that will secure the data while allowing it to be used for important business use cases like analytics.
The comforte Data Security Platform protects 500 of the world’s largest organizations. It offers:
- AI-assisted data discovery that finds all sensitive data everywhere in the enterprise
- Multiple protection mechanisms including tokenization that preserve utility
- Seamless integration with data flows and apps for speedy time-to-value
- Protection of data at rest, in transit and in use