Password Reuse: A Common Practice for 25% of Employees

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow

Risky cyber behavior among employees is nothing new, in fact, despite organizations becoming more aware of the state of cybersecurity, employees continue to cause data breaches in unacceptable numbers. TechRepublic looks at a recent OpenVPN survey, which dissects poor cyber hygiene among employees.

Despite an increased focus on security training, 25% of the 500 US employees surveyed report that they use the same password for every account, the report found. Another 23% of employees said they frequently click on links before verifying that they lead to a legitimate, safe website.”

Of the 25% of employees who reuse the same password across all accounts, a shocking 81% admitted to not using any password protection on their computers or smartphones.

With statistics such as those listed above, the question for employers is no longer, “Will my organization get breached?” but rather, “When will my organization suffer a data breach?”.

Businesses may feel they’re improving their security posture by focusing their training on external threats, however, this approach overlooks the roles employees play in protecting their organization. Since employees are the first line of defense, it is crucial for training to not only focus on external risks but also address how employees can help defend against those threats.

Looking back at the poor password practices of employees discovered in the survey, not only does reusing passwords across various accounts put an organization at risk, it also puts the individual at risk on a personal level. Cybercriminals often use brute-force attacks to crack an individual’s password, allowing them to try large quantities of passwords in a single attempt. Once a password is successfully unveiled, the criminal will attempt to reuse that password across other websites or accounts in hopes that the individual reused that password.

Password best practices change over time, and some argue that past password policies may no longer be the most secure. Previously, complex passwords with an uppercase letter, lowercase letter, number, and special character were thought to be the most secure. Bill Burr, who has published past password standards now argues that long easy-to-remember passphrases are more secure than complex passwords. In addition, Burr also believes that requiring users to change their passwords after 90 days is not as secure as only changing passwords if a breach has occurred or has been suspected.

While employees may not be taking adequate steps to protect their passwords, the survey did find that 55% of employees are using biometric passwords, such as fingerprints to enhance their security.

Implementing strong cyber hygiene
Password policies should be implemented that require employees to proactively think about their passwords before they become compromised. In addition, continuous security training should be provided to educate and remind employees of the importance of strong password practices.

Using positive reinforcement when employees make smart decisions may also be helpful in gaining their attention rather than using scare tactics to warn of potential threats.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.