By Rob Cheng, Founder and CEO, PC Matic
The recent PC Matic Password Hygiene & Habits Report found that only 16% of employers issue passwords to employees. This is an alarming statistic given that 80% of businesses allow employees to choose their own passwords. This is risky behavior since it’s also been reported that many employees use the same password for both work and home and 50% of people have never changed their personal passwords at all.
There’s no question that poor password behaviors are putting business data at risk. The Verizon Data Breach Investigations Report has found that as many as 81% of company data breaches are due to poor passwords. If companies are allowing employees to use the same passwords across personal and business apps, they are simply asking for a breach.
This underscores the fact that employees simply can’t be trusted to create safe passwords or save them securely. The Workplace Password Malpractice Report, 2021 from Keeper found 31% of employees have used their child’s name or birthday for their password. And 49% of employees admit to storing passwords in a document saved in the cloud, while 55% save them on their phone. Thus, if a cybercriminal breaches these environments – access to both work and personal data is at the ready.
How Did We Get Here?
Prior to the internet, businesses and government institutions regularly issued passwords to employees. But with the dotcom gold rush, new personal passwords were required as we began to build our own accounts. We set up personal passwords for everything from pets.com to Facebook. Then, somewhere, somehow, someone decided that if we can choose our personal passwords, we should choose our work passwords as well. What a devastating move.
It’s worth noting that the targets of cyberbreaches have also evolved. Hackers aren’t as motivated to infect the individual as they are now to breach large companies and critical infrastructure. And they know they can breach these companies by accessing an individual’s passwords. By hacking individual accounts via consumer-facing companies such as Equifax (consumer credit) and Twitter, they gain access to the servers of business and government. Remember, most Americans are using the same passwords at home and work.
Go Back to Go Forward
To protect corporate data, and prevent employee-enabled exposure, it’s time to put password control back into the hands of IT. One of the most simple, inexpensive alternatives to password protection is for employers to go back to issuing passwords again. Company-issued passwords will substantially reduce any company’s attack surface and this approach is a simple, easy practice to implement. It puts IT back in control, where stringent password practices can be implemented and monitored.
Where should we start? Email. Email access is an essential element in the hacker’s playbook that allows the criminals to read emails, reset passwords, and send fake emails. Next, we should disable password-reset features for critical applications such as VPN and remote access tools such as TeamViewer and Citrix’s GoToMeeting.
There are numerous sites that generate and distribute passwords via email. While the goal should be that the employee memorizes passwords, it’s critical to know it is not a secure practice to store passwords in the cloud without password controls in place.
We are in a digital arms race, and currently cybercriminals are building ever more sophisticated, offensive capabilities. By taking steps to issue passwords for employee use, we can disable several tools from the cyber-attacker’s playbook and place control back on IT where it belongs.
About the Author
Rob Cheng is the founder and CEO of South Carolina-based cybersecurity firm PC Matic. Rob is a world-renowned cybersecurity expert and speaker who has been featured in national outlets and publications such as Fox News Channel, The Associated Press and USA Today. Best known for his role as the spokesperson for PC Matic on a host of national television campaigns, Rob’s expertise has led to PC Matic becoming a leader in the global cybersecurity market.