Asia
Story image

Yubico report reveals troubling password behaviour

30 Jan 2019
Ben Moore
Share:
LinkedIn
Twitter
Facebook

Yubico, the provider of hardware authentication security keys, has released th results of the company’s 2019 State of Password and Authentication Security Behaviours Report, conducted by the Ponemon Institute. 

The Ponemon Institute surveyed 1,761 IT and IT security practitioners in the United States, United Kingdom, Germany and France, although the results have global implications.

Yubico states that the purpose of this study is to understand the beliefs and behaviours surrounding password management and authentication practices for individuals both in the workplace and at home. 

It adds that the goal was to understand if these beliefs and behaviours align, and why or why not. 

The conclusion is that despite the increasing concern regarding privacy and protection online and a greater understanding of the best security practices, individuals and businesses are still falling short. 

Both parties are in dire need of solutions that will offer both added security and convenience.

“For decades, passwords have been the primary method of authentication used to protect data and accounts from unauthorised access. However, this multi-country research illustrates the difficulties associated with proper password hygiene,” says Yubico founder and CEO Stina Ehrensvard. 

“With every new password breach that we see, it’s become increasingly clear that new security approaches are needed to help individuals manage and protect their accounts both personally and professionally.”

Key findings from this research include:

  • 63% of respondents say they have become more concerned about the privacy and security of their personal data over the past two years. Respondents reported being most concerned with Social Security number or citizen ID, payment account details and health information.

The reason respondents reported being more concerned about their privacy was due to government surveillance (59%), and the growing use of mobile devices (51%) and connected devices (40%).

  • Almost half of the respondents (47%) say their companies are most concerned about protecting customer information and 45% of respondents say they are most concerned about protecting employee information. 

  • As cyber attacks become more prevalent, vulnerabilities created by poor password and authentication practices lead to attacks such as phishing. More than half of respondents (51%) say they have experienced a phishing attack in their personal life, while 44% of respondents have experienced a phishing attack at work.

However, while phishing attacks are occurring on a frequent basis, 57% of respondents who have experienced a phishing attack have not changed their password behaviours.

  • Approximately two out of three respondents (69%) admit to sharing passwords with their colleagues in the workplace to access accounts and more than half of respondents (51%) reuse an average of five passwords across their business and/or personal accounts.

Furthermore, added protection beyond a username and password, in the form of two-factor authentication, is not widely used. 67% of respondents do not use any form of two-factor authentication in their personal life and 55% of respondents do not use it at work.

  • It is increasingly clear that new security approaches are needed to help individuals manage and protect their passwords both personally and professionally. On average, respondents report having to spend an average of 12.6 minutes each week or 10.9 hours per year entering and/or resetting passwords.

Based on the average headcount in this research of almost 15,000, we estimate the annual cost of productivity and labour loss per company averages $5.2 million annually.

  • Because managing passwords is inconvenient and cumbersome, 57% of respondents expressed a preference for passwordless logins that protect their identity. 56% of respondents believe that a physical hardware token offers better security.

Beyond the above-listed highlights, the full 2019 State of Password and Authentication Security Behaviours Report delivers further statistics based on the following themes.

  • How privacy and security concerns affect personal password practices
  • Risky password practices in the workplace
  • Authentication and account security in organisations
  • Differences in password practices and authentication security behaviours by age
  • Differences in password practices and authentication security behaviours by country

Data for this survey was collected by Ponemon Institute on behalf of Yubico. 

Ponemon Institute was responsible for data collection, data analysis and reporting.  

Ponemon Institute and Yubico collaborated on the survey questionnaire. 

All survey responses were captured from August 20 to September 4, 2018.

Related stories:
92% of businesses experience identity challenges - LastPass
Is the pain of resetting passwords finally over? 
Google 'will do better' after G Suite passwords exposed since 2005
Microsoft achieves FIDO2 certification for authentication solution
Businesses failing to secure BYOD - Bitglass
SolarWinds adds password management to security portfolio
Dig deeper:
Story image
11 Jul
RSA responds to increasing A/NZ regulations with new updates
The new data protection and privacy management capabilities will help business in the A/NZ region to better ensure data protection and privacy regulations and compliance, according to the company.More
Story image
04 Jul
Australia, NZ and Singapore in cybercriminal firing line
"Cybercriminals continue to develop new, more sophisticated attack methods, and they are carrying them out with astonishing frequency."More
Story image
01 Jul
Malware and malicious Office documents on the rise in 2019 - WatchGuard
Hackers are doubling down on well-known tactics like credential theft and ransomware by utilising fake Office documents and other attack avenues.More
Download image
Whitepaper: Why accurate log processing is key to effective SIEM
SIEMs form the core of many enterprises’ IT security strategies, but they can be expensive to deploy and maintain.More
Story image
Yesterday
Global banks fail to keep up with application security
One bank had an unpatched vulnerability that has existed since at least 2011.More
Story image
09 Jul
Cyber threats: Legacy systems aren't always the culprit
There is a common misconception that product security is the only way to mitigate vulnerabilities and threats. More
Story image
RSA responds to increasing A/NZ regulations with new updates
The new data protection and privacy management capabilities will help business in the A/NZ region to better ensure data protection and privacy regulations and compliance, according to the company.More
Story image
Australia, NZ and Singapore in cybercriminal firing line
"Cybercriminals continue to develop new, more sophisticated attack methods, and they are carrying them out with astonishing frequency."More
Story image
Malware and malicious Office documents on the rise in 2019 - WatchGuard
Hackers are doubling down on well-known tactics like credential theft and ransomware by utilising fake Office documents and other attack avenues.More
Download image
Whitepaper: Why accurate log processing is key to effective SIEM
SIEMs form the core of many enterprises’ IT security strategies, but they can be expensive to deploy and maintain.More
Story image
Global banks fail to keep up with application security
One bank had an unpatched vulnerability that has existed since at least 2011.More
Story image
Cyber threats: Legacy systems aren't always the culprit
There is a common misconception that product security is the only way to mitigate vulnerabilities and threats. More
Story image
Do we need cybersecurity training? Phishing remains problem area
“Implementing ongoing and effective security awareness training is a necessary foundational pillar when building a strong culture of security."More
Story image
10 times malware proved that MacOS isn't bulletproof
Mac users need to come to terms with the fact that their devices are not immune from attack.More
Download image
Whitepaper: Setting up syslog-ng storage in Elasticsearch
Elasticsearch, an easy-to-scale and easy-to-search NoSQL data store, has been gaining momentum as the ultimate destination for log messages in recent years.More
Download image
Log classification doesn’t have to be mundane and repetitive – here’s how
It’s not hard to say ‘I don’t envy you’ to system administrators who are lumped with the burden of classifying log messages every time somebody conducts an action on the network.More
Story image
Financial organisations plagued by spear phishing attacks
Finance department employees are most heavily targeted by these attacks, because they are most likely to deal with banks and other financial institutions.More
Story image
Overcoming deepfakes with deep learning
In the past couple of weeks, there have been high-profile examples of deepfakes, where deep learning, an advanced subset of AI, is used to manipulate videos to create fake videos.More
Story image
92% of businesses experience identity challenges - LastPass
Data from the report reveals IT professionals overwhelmingly (82%) agree that poor identity practices have exposed their business to risks.More
Story image
85% of enterprises struggling to protect network assets - Endace
Research conducted by Endace and VIB identifies the economic, resourcing, and management challenges that large enterprises face in protecting their networks.More
Story image
BlackBerry launches new threat hunting solution
CylanceGUARD is a subscription-based offering that validates, triages, analyses, prioritises, and automates analyst and incident engagement. More
Story image
HCL Technologies closes acquisition of IBM products
Company launches HCL Software business unit to operate the enterprise software offerings.More
Download image
Insider threats & breach reports: Why security needs more investment
Insider threats (those that come from within your organisation) are a serious concern - here's why.More
Story image
How to stop your data from getting hijacked - SolarWinds
Organisations often struggle to avoid man-in-the-middle attacks because hackers target infrastructure the organisation has almost no control over. More
Story image
Protecting remote staff from phishing attacks – WatchGuard
Close to 50% of Australian employees worked remotely for at least half the time, according to a 2018 survey by IWG. More
Story image
Responsible AI starts with responsible leaders - PwC
Responsible practices in artificial intelligence (AI) starts with how each individual organisation plans to strategise, design, develop, and deploy the technology. More
Story image
NTT fuses 28 tech companies into new provider
The merger will include some of NTT’s biggest businesses, including NTT Communications, NTT Security, and Dimension Data.More
Story image
Quest QoreStor update extends native cloud storage support
QoreStor 6.0 introduces a new Performance Tier accelerating backup, providing up to 2x recovery point objectives (RPO).More
Story image
Rapid increase in AI to detect fraud
"Criminals are finding new ways to exploit technology to commit schemes and target victims."More
Story image
Major vulnerability found Electronic Arts gaming client
Once exploited, the vulnerabilities would have led to player account takeover and identity theft, Check Point and CyberInt found.More
Download image
Whitepaper: Using syslog-ng’s pattern database to analyse log messages
Log messages can be used to detect security incidents, operational problems, policy violations, and are useful in auditing and forensics situations.More
Story image
UPDATED: Orvibo & Arlo smart home products patched to prevent attacks
The security of smart home devices is once again under the spotlight this week, as two different device manufacturers come under fire for major vulnerabilities.More
Story image
Probax launches Dropbox backup solution for MSPs
The solution gives businesses a backup of their Dropbox data and extends the retention of data beyond the native data recovery limits of Dropbox.More
Protecting organisations from insider threats - Bitglass
The biggest challenge for most external threat actors is gaining access to a target organisation, but insider threats already have this. More
CyberX launches automated threat extraction platform
Unlike other traditional threat intelligence, Ganymede focuses on IoT/ICS/OT-specific threat intelligence for industrial and critical infrastructure organisations.More
Thailand leads ASEAN into a secure digital future
As the chair country of ASEAN, Thailand aims to advance the community towards a future that includes a digital ASEAN.More
Amazon admits storing Alexa recordings until users take action
Amazon’s Alexa voice service is storing all user voice recordings and transcripts on its servers by default – and people who want to delete those recordings must do so manually.More
Financial institutions' websites most frequently attacked – report
Positive Technologies found that the majority of all web attacks in 2018 targeted sites of financial institutions, transportation companies, hospitality and entertainment companies.More
Using Splunk in conjunction with syslog-ng for log management
Collecting and centralizing log messages from network devices such as routers is one of the most common deployments of syslog-ng with Splunk.More
One Identity solution achieves new SAP certification
Customers can benefit from improved interoperability with SAP applications and with the large ecosystem of solutions that run on SAP NetWeaver. More
Whitepaper: Measuring SIEM’s ability to create actionable defence
Many organisations are struggling to keep pace with the speed in which hackers are attacking their system.More
Cybersecurity market increasingly competitive as public cloud segment grows
Cybersecurity solutions for public cloud and ‘as a service’ offerings are continuing to grow, however traditional hardware and software deployments still dominate the market.More
Enterprise at tipping point, says Symantec
Enterprises are struggling to keep up with the rapid expasion of cloud within their business. More
Who is really responsible for cloud security?
The joy and the temptation of SaaS is that it is so easy to buy without IT even needing to be involved. More
Bitdefender advances endpoint security solution for SecOps teams
“Rather than rely on a pure prevention or pure detection/response model, the most secure organisations will weave in strong prevention and speedy detection/response with integrated risk analytics.”More
Marriott, British Airways fines highlight critical need for security investment
The last week has brought heavy fines against the likes of global hotel chain Marriott and airline British Airways, casting a harsh spotlight on the price of cyber attacks.More
Huawei working to patch critical security vulnerabilities
Huawei is proactively working with Swascan researchers to fix the vulnerabilities, which could affect three main areas: confidentiality, integrity, and availability.More
Case Study: Education provider streamlines compute, network systems with HiveIO
Deploying Hive Fabric - a solution that provided a zero-layer VDI that eliminated complex environments and licensing – Sunnyside District saved $100,000 on infrastructure costs.More
Cybersecurity: Starting with the human factor
In a recent report by Dell EMC, it was discovered that data-loss incidents cost Singapore organisations an average of US$1.4 million over 12 months. More
Wandera reports on the state of mobile security in financial services
“In the financial services industry, as in many sectors, the security of client information is the most important asset."More
Whitepaper: Running syslog-ng in a Docker environment effectively
Syslog-ng is a log management application that enables you to collect logs from multiple platforms in a central space.More
More stories