Though most companies have a written cybersecurity policy, it often remains unclear to the leadership team whether employees are actually adhering to the policy’s guidelines. A quick glimpse of the headlines will highlight daily instances of fallout from lax cybersecurity practices by employees. Researchers at Clutch, a company that helps businesses make better buying decisions, recently surveyed over 1,000 full-time employees to get a better understanding of how they engage and follow through with cybersecurity policies at their companies.
According to Grayson Kemper, Senior Content Developer and Marketer at Clutch, the survey data show that “employees implement basic IT services and security initiatives like updating their passwords. However, many lack nuanced understanding about how their actions align with security policy and best practices or the impact they have on company security.”
The main findings from the survey show that:
- “Employees encounter password update reminders (67%) more often than any other element of their companies’ cybersecurity policies.”
- “Password protection (76%) is the most commonly practiced IT security behavior among employees.”
- “Although the majority of employees (64%) use a company-approved device for work purposes, only 40% are subject to regulations regarding the use of personal devices.”
- “Employees’ use of devices puts their companies at risk. Virtually all (86%) check email and more than two-thirds (67%) access shared documents using their devices.”
- “More employees report security incidents (60%) than experience policy training (59%). This indicates that employees have the ability to recognize security threats, even without training.”
- “Most employees (52%) receive cybersecurity policy training once a year.”
I would like to dig a bit deeper into the password security training aspect of these findings here, as there tends to be some conflict regarding password security best practices. The survey shows that 82% of respondents regularly update their passwords, while 38% are using the same password for multiple accounts. Less than half (41%) of those surveyed incorporate multifactor authentication into their cybersecurity practices, and 20% use a password manager.
Kemper notes that “passwords are the most common form of employee cybersecurity because they are simply the easiest for employees to master.” Many IT departments have mandated password changes, forcing employees to update their passwords every few months. However, as Steve Scott-Douglas, the CIO of Ciklum who was interviewed for the Clutch report, notes, he stills sees people updating their password, writing it down, and leaving it on their desk, thereby undermining the reason for changing the password. So, while these statistics are encouraging, the observational data suggest that further training could provide some real benefits.
What Makes a Good Password?
While mandating password updates for employees helps build better habits, it doesn’t make sense without training about what constitutes a secure password. Here’s where the conflicts come into the picture. Some experts recommend passwords that are complex and difficult to remember, such as ones that contain “at least eight random characters of upper and lower-case letters, numbers and symbols.” These kinds of passwords assume that an individual is attempting to guess the password, which is a mostly outdated method of hacking an account.
Others recommend a different approach entirely. Cybersecurity expert Brian Krebs, along with many others, suggests that while password “complexity is nice, length is the key.” Using a passphrase, rather than a password, introduces increasing levels of complexity (through entropy) that decrease the odds of a successful brute-force attack.
This discussion on passwords only scratches the surface. For more information on the survey results, you can find the full report summary at Clutch’s website.