LogMeIn: Giving CISOs the tools to measure and improve password security

By Gerald Beuchelt, CISO at LogMeIn

Despite the well-publicised growth in cyber-attacks every year, both in number and complexity, businesses are still struggling to implement effective security policies. It’s no secret that weak passwords are a leading security threat and bad password habits are far too common.

Yet businesses are struggling to quantify their own level of password risk, even those that use password managers. Why? They lack proof of their policies’ effectiveness. They’re missing visibility into their employees’ behaviours. And they can’t verify how they compare to others of similar size, industry or location, including competitors.

That is why we undertook an effort to analyse the password habits of employees at 43,000 organisations of all sizes and across industries that use the LastPass password manager. Not only does the report reveal real password behaviours in the workplace, but it offers the first true benchmark that CISOs and other IT professionals can use to see how they rank compared to other similar businesses and how to improve their password security.  

Weak, reused, old and potentially compromised credentials open organisations up to innumerable risks that could be easily avoided. Our data shows that most businesses are performing middle of the road (an average of 52 out of 100) for password security, demonstrating the need for more effective policies and training to improve overall security. Password risk affects companies regardless of size, industry and location – but it’s something all organisations can work on for a more secure workplace.

The larger the company, the larger the risk

In a survey of 43,000 organisations, we found that the larger the company, the lower its security score on average. Organisations that use LastPass with 25 employees or fewer demonstrated the highest average security score of 50, but that score drops as the company size increases – up to a point. Organisations with more than 500 employees displayed stagnant scores, sharing similar challenges in improving password hygiene regardless of whether they had 1,000 employees or 10,000. These larger organisations make it more challenging for IT to hold all employees to password security standards, increasing opportunities for dangerous password behaviours.

Still, that doesn’t mean larger organisations are beyond help – some of the top performers overall were large businesses, showing that size is merely a factor that IT professionals should account for when implementing security policies. The larger the organisation, the more difficult it is to address certain challenges, from budgets to bureaucratic red tape. Smaller companies still face similar challenges, just on a smaller scale. Despite having fewer resources, it’s simpler to ensure near-perfect passwords and multifactor authentication for all employees when the employee base is smaller.

Password sharing provides the perfect example for a challenge that increases in scale with larger companies. On average, any given employee shares about six passwords with coworkers. Imagine the impact at a company with 100 employees. Now imagine the same for a company with more than 10,000 employees. Password sharing is frustrating for employees and IT administrators alike, with users resorting to using weak-but-memorable passwords that present potential backdoors into the business. As teams become more distributed and technology-dependent, the ability to protect, track and audit shared passwords is more complicated – and more necessary – than ever.


Security challenges span across industries and the globe

Technology and not-for-profit organisations achieved the highest security scores, with retail and insurance trailing behind. Given the need to comply with privacy and data laws and the tech-savviness of this industry, it’s no surprise that technology companies lead the way. Even so, other heavily-regulated industries such as banking, health, insurance and government – all frequently targeted by cybersecurity attackers – demonstrated lower security scores, revealing an opportunity for these industries to commit to more effective password security.

With a reputation for security and the adoption of standards like the General Data Protection Regulation (GDPR), companies in Germany ranked higher than the global average in terms of security score, closely followed by the Netherlands. The United Kingdom falls behind in sixth place, so even though the country has a number of strong top performers, we have a lot of work to do overall. In particular, the UK leads other European countries in multifactor authentication adoption but still ranks far lower than the United States. Ten percent of companies using multifactor authentication are in the UK, while about 63 percent are based in the U.S.. It’s evident that despite the growing usage of this technology overall, many countries are still slow to adopt this security trend.

Improving overall security is a work in progress, but no matter the size, industry or location, all organisations can take steps toward more efficient password management – and we’re already seeing a positive selection of companies doing something for passwords. We found that one  year after implementing a password manager, most companies increased their security score by an average of nearly 15 points. For businesses looking into implementing a password manager or trying to measure their own password security for board reporting, this report should serve as a helpful benchmark, offering realistic goals and best practices.

As more and more companies implement BYOD policies, opening up networks to unsanctioned devices and apps, CISOs and other IT leaders need to change the way they think about password security. Visibility is key: You can’t measure security unless you have a system that provides insights into potential areas of risk. Implementing a password manager won’t just improve security, but increase productivity, brand perception and employee satisfaction as organisations are better equipped to safely navigate future challenges.


Featured Articles

Top 20 essential leadership resources for Black executives

To celebrate Black History Month, here are 20 resources for Black leaders – from business books to leadership coaches to business school exec programs

Broadridge study reveals huge impact of AI on C-suite

Broadridge Financial Solutions spoke to 500 C-suite executives from across the globe, many of whom said AI was significantly changing the way they work

PwC's Kathryn Kaminsky – the role of boards on social issues

As Vice Chair Trust Solutions Co-Leader at PwC, Kathryn Kaminsky says boards play an important role in helping businesses take action on social issues

Why your business needs a Chief Transformation Officer

Leadership & Strategy

12 top AI and ML trends for the enterprise in 2023 – Dataiku

Technology & AI

From NYC to Hong Kong, the rise of the private members' club

Leadership & Strategy