You don’t need a survey to tell you how dismal cyber security is across the business landscape – just look at the breaches making the news. A survey can, however, explore the finer points of our security practices, illuminating which controls businesses are using, which are working and which aren’t, and their plans for the future.
That’s why we did a survey in collaboration with SC Magazine, asking 500 senior IT leaders about access control and the use of passwords in their organizations. We wanted a real-life snapshot of their practices and the controls they were using to protect user identities and stop attackers. We also wanted to know where they saw their IT security going in the future. We’ve all heard the password pronounced dead multiple times. So just how are companies planning to handle access control?
The survey responses revealed some surprising truths about the sophistication (or lack thereof) of enterprise security programs and their long-term plans. As always, while most companies are quick to tout their privacy measures to the public, the reality is a little more complicated.
For instance, 39 percent of respondents said they use password-only authentication measures. Here's why that's a problem. As anyone who's paid attention to the last few years of high-profile breaches knows, more than a few of those attacks exploited compromised passwords. As we approach 2016, every IT team worth its salt should know by now that passwords alone simply are not sufficient protection. Adaptive and Two-Factor Authentication should be considered mandatory measures.
The survey showed that some teams do understand the importance of using passwords in conjunction with other security technologies; 30 percent employ a combination of passwords and tokens. But only 6 percent go for the triple hit of using all three factors: passwords, tokens and biometrics. The remainder opted for multiple passwords, tokens or biometrics only, or a mix of two-factor authentication controls.
Complexity vs. Memory
If you’re a practitioner of Multifactor or Adaptive Authentication - and we hope you are - you’re probably wondering why anyone would use passwords alone. There’s really no mystery; low implementation costs make them a budget-friendly way to enforce a baseline of security.
Yet organizations must understand the risks. Strong passwords are obviously the smart choice, but how many of us can remember long strings of nonsensical letters and numbers? More often than not, people will opt for a common saying, movie quote or song lyric, which they find easier to recall. Yet the phrase’s commonality makes it vulnerable to brute force attacks, which can crack these easily-remembered passwords right open if they’re common enough.
Changing a word or letter in the middle of a phrase can help; another solution is using a password vault application. Users can freely create intricate passwords, as they only need to remember one master password.
Even so, the strongest passwords need to be changed frequently. Again, our survey showed mostly positive results: 36 percent of companies require their users to switch passwords, biometrics and tokens every other month, while 39 percent require the same two to three times a year. But there are still a few organizations who only require password changes once a year – or worse, don’t require it at all.
So with the state of the password union revealed, what does the future look like?
One thing our survey taught us was this: many of the companies still stuck in the password-only model are aware they need to evolve. 63 percent stated their organization had formal plans to move into a multifactor access model. While that's positive news, it's a plan that takes at least 2 years to achieve. That’s a significant window of vulnerability.
In terms of what they see themselves using 5 years down the road, 16 percent admitted they don’t know what the status of network security will be for their organization. That’s a fair statement, given that 5 years is plenty of time for a new breakthrough in technology to happen. Many experts think the SQRL (secure quick reliable login) and FIDO (fast identity online) might replace passwords.
Right now, though? Multifactor Authentication is still the gold standard for access control, and it probably will be for some time. That’s probably why 19 percent of survey responders foresee a security program mixing passwords, tokens and biometrics, while 18 percent intend to utilize Two-Factor Authentication. And that doesn’t just mean authenticating people; some companies are taking the approach of authenticating devices instead, as they have the capacity – unlike us - to handle extremely complex strings of data.
So no, we won’t be saying goodbye to the password anytime soon. But the password will be partnering with other controls in more and more organizations – at least, in the ones that want to protect their data.
You can check out the more of the survey results here. And if you’re one of the companies looking to strengthen your existing access controls, take a look at our Adaptive Authentication solutions.