LogMeIn: Giving CISOs the tools to measure and improve password security
Despite the well-publicised growth in cyber-attacks every year, both in number and complexity, businesses are still struggling to implement effective security policies. It’s no secret that weak passwords are a leading security threat and bad password habits are far too common.
Yet businesses are struggling to quantify their own level of password risk, even those that use password managers. Why? They lack proof of their policies’ effectiveness. They’re missing visibility into their employees’ behaviours. And they can’t verify how they compare to others of similar size, industry or location, including competitors.
That is why we undertook an effort to analyse the password habits of employees at 43,000 organisations of all sizes and across industries that use the LastPass password manager. Not only does the report reveal real password behaviours in the workplace, but it offers the first true benchmark that CISOs and other IT professionals can use to see how they rank compared to other similar businesses and how to improve their password security.
Weak, reused, old and potentially compromised credentials open organisations up to innumerable risks that could be easily avoided. Our data shows that most businesses are performing middle of the road (an average of 52 out of 100) for password security, demonstrating the need for more effective policies and training to improve overall security. Password risk affects companies regardless of size, industry and location – but it’s something all organisations can work on for a more secure workplace.
The larger the company, the larger the risk
In a survey of 43,000 organisations, we found that the larger the company, the lower its security score on average. Organisations that use LastPass with 25 employees or fewer demonstrated the highest average security score of 50, but that score drops as the company size increases – up to a point. Organisations with more than 500 employees displayed stagnant scores, sharing similar challenges in improving password hygiene regardless of whether they had 1,000 employees or 10,000. These larger organisations make it more challenging for IT to hold all employees to password security standards, increasing opportunities for dangerous password behaviours.
Still, that doesn’t mean larger organisations are beyond help – some of the top performers overall were large businesses, showing that size is merely a factor that IT professionals should account for when implementing security policies. The larger the organisation, the more difficult it is to address certain challenges, from budgets to bureaucratic red tape. Smaller companies still face similar challenges, just on a smaller scale. Despite having fewer resources, it’s simpler to ensure near-perfect passwords and multifactor authentication for all employees when the employee base is smaller.
Password sharing provides the perfect example for a challenge that increases in scale with larger companies. On average, any given employee shares about six passwords with coworkers. Imagine the impact at a company with 100 employees. Now imagine the same for a company with more than 10,000 employees. Password sharing is frustrating for employees and IT administrators alike, with users resorting to using weak-but-memorable passwords that present potential backdoors into the business. As teams become more distributed and technology-dependent, the ability to protect, track and audit shared passwords is more complicated – and more necessary – than ever.
Security challenges span across industries and the globe
Technology and not-for-profit organisations achieved the highest security scores, with retail and insurance trailing behind. Given the need to comply with privacy and data laws and the tech-savviness of this industry, it’s no surprise that technology companies lead the way. Even so, other heavily-regulated industries such as banking, health, insurance and government – all frequently targeted by cybersecurity attackers – demonstrated lower security scores, revealing an opportunity for these industries to commit to more effective password security.
With a reputation for security and the adoption of standards like the General Data Protection Regulation (GDPR), companies in Germany ranked higher than the global average in terms of security score, closely followed by the Netherlands. The United Kingdom falls behind in sixth place, so even though the country has a number of strong top performers, we have a lot of work to do overall. In particular, the UK leads other European countries in multifactor authentication adoption but still ranks far lower than the United States. Ten percent of companies using multifactor authentication are in the UK, while about 63 percent are based in the U.S.. It’s evident that despite the growing usage of this technology overall, many countries are still slow to adopt this security trend.
Improving overall security is a work in progress, but no matter the size, industry or location, all organisations can take steps toward more efficient password management – and we’re already seeing a positive selection of companies doing something for passwords. We found that one year after implementing a password manager, most companies increased their security score by an average of nearly 15 points. For businesses looking into implementing a password manager or trying to measure their own password security for board reporting, this report should serve as a helpful benchmark, offering realistic goals and best practices.
As more and more companies implement BYOD policies, opening up networks to unsanctioned devices and apps, CISOs and other IT leaders need to change the way they think about password security. Visibility is key: You can’t measure security unless you have a system that provides insights into potential areas of risk. Implementing a password manager won’t just improve security, but increase productivity, brand perception and employee satisfaction as organisations are better equipped to safely navigate future challenges.
Ivy.ai’s new chatbot streamlines resources and policies
Ivy.ai, a creator of AI chatbots for higher education, is offering a chatbot that helps institutions streamline name, image, and likeness policies for athletic programmes.
This solution will allow athletic departments to dramatically reduce inbound inquiries while answering inquiries related to compliance, financial aid impact, how-to documents, and best practice training videos.
It will allow institutions to condense information in a way that is easily accessible and eliminates the need for student-athletes to read complicated manuals. Institutions can also engage with student-athletes via a real-time feedback loop to see which topics truly matter and what needs further clarification. This allows administrators to be proactive and provide a competitive edge in recruiting.
Helping institutions connect their students with information
“Athletic departments at colleges and universities are overwhelmed by the challenges posed by the name, image and likeness legislation,” said Mary Frances Coryell, Vice President of Strategic Alliances and Partnership.
“Ivy.ai is uniquely positioned in the market to help institutions connect their student-athletes with policies and information related to NIL such as state laws, restrictions and relevant contacts. Our chatbot can digest all relevant policy information and provide answers to student-athletes at any time on any device. We expect the NIL market to move quickly, so student-athletes deserve the answers on their terms, rather than exclusively during work hours.”
Primary use cases for the chatbot include:
- Answering commonly asked questions related to name, image and likeness
- Communicate policies such as state laws, restrictions and compliance regulations
- Provide contact information for various advisors and agencies
- Connect training materials for athletes to improve their branding
- Engage in two-way reactive and proactive communication to keep policies student-centric
Back in March 2020, the company offered schools a free COVID-19 Response System, including a customisable COVID-19 Response Bot, a human-to-human live chat system and an SMS Text platform. These services are offered completely free of charge.
"The customisable COVID-19 Response Bot will help schools connect their students with important information, such as the school's operational status, where to go for treatment, and what to do to help reduce the risk of spreading the virus. We already added that information to all of our clients' AI chatbots, and we found that in many cases students needed additional support. That's why we're including our human-to-human Live Chat system in this offer. The SMS Text platform can be used to drive awareness to this communications channel for your students." said Mark McNasby, CEO of Ivy.ai.