SecurityBrief Asia logo
Asia's leading source of security and threat news
Story image
Tech Data to distribute Nutanix backup solution in A/NZ
Story image
Veeam releases v3 of its MS Office backup solution
Story image
Too many 'critical' vulnerabilities to patch? Tenable opts for a different approach
Story image

Yubico report reveals troubling password behaviour

30 Jan 2019
Ben Moore

Yubico, the provider of hardware authentication security keys, has released th results of the company’s 2019 State of Password and Authentication Security Behaviours Report, conducted by the Ponemon Institute. 

The Ponemon Institute surveyed 1,761 IT and IT security practitioners in the United States, United Kingdom, Germany and France, although the results have global implications.

Yubico states that the purpose of this study is to understand the beliefs and behaviours surrounding password management and authentication practices for individuals both in the workplace and at home. 

It adds that the goal was to understand if these beliefs and behaviours align, and why or why not. 

The conclusion is that despite the increasing concern regarding privacy and protection online and a greater understanding of the best security practices, individuals and businesses are still falling short. 

Both parties are in dire need of solutions that will offer both added security and convenience.

“For decades, passwords have been the primary method of authentication used to protect data and accounts from unauthorised access. However, this multi-country research illustrates the difficulties associated with proper password hygiene,” says Yubico founder and CEO Stina Ehrensvard. 

“With every new password breach that we see, it’s become increasingly clear that new security approaches are needed to help individuals manage and protect their accounts both personally and professionally.”

Key findings from this research include:

  • 63% of respondents say they have become more concerned about the privacy and security of their personal data over the past two years. Respondents reported being most concerned with Social Security number or citizen ID, payment account details and health information.

The reason respondents reported being more concerned about their privacy was due to government surveillance (59%), and the growing use of mobile devices (51%) and connected devices (40%).

  • Almost half of the respondents (47%) say their companies are most concerned about protecting customer information and 45% of respondents say they are most concerned about protecting employee information. 

  • As cyber attacks become more prevalent, vulnerabilities created by poor password and authentication practices lead to attacks such as phishing. More than half of respondents (51%) say they have experienced a phishing attack in their personal life, while 44% of respondents have experienced a phishing attack at work.

However, while phishing attacks are occurring on a frequent basis, 57% of respondents who have experienced a phishing attack have not changed their password behaviours.

  • Approximately two out of three respondents (69%) admit to sharing passwords with their colleagues in the workplace to access accounts and more than half of respondents (51%) reuse an average of five passwords across their business and/or personal accounts.

Furthermore, added protection beyond a username and password, in the form of two-factor authentication, is not widely used. 67% of respondents do not use any form of two-factor authentication in their personal life and 55% of respondents do not use it at work.

  • It is increasingly clear that new security approaches are needed to help individuals manage and protect their passwords both personally and professionally. On average, respondents report having to spend an average of 12.6 minutes each week or 10.9 hours per year entering and/or resetting passwords.

Based on the average headcount in this research of almost 15,000, we estimate the annual cost of productivity and labour loss per company averages $5.2 million annually.

  • Because managing passwords is inconvenient and cumbersome, 57% of respondents expressed a preference for passwordless logins that protect their identity. 56% of respondents believe that a physical hardware token offers better security.

Beyond the above-listed highlights, the full 2019 State of Password and Authentication Security Behaviours Report delivers further statistics based on the following themes.

  • How privacy and security concerns affect personal password practices
  • Risky password practices in the workplace
  • Authentication and account security in organisations
  • Differences in password practices and authentication security behaviours by age
  • Differences in password practices and authentication security behaviours by country

Data for this survey was collected by Ponemon Institute on behalf of Yubico. 

Ponemon Institute was responsible for data collection, data analysis and reporting.  

Ponemon Institute and Yubico collaborated on the survey questionnaire. 

All survey responses were captured from August 20 to September 4, 2018.

More:
Share on: LinkedIn Twitter Facebook
Story image
Tech Data to distribute Nutanix backup solution in A/NZ
Story image
Veeam releases v3 of its MS Office backup solution
Story image
Too many 'critical' vulnerabilities to patch? Tenable opts for a different approach
Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.
Story image
WikiLeaks' Julian Assange arrested in London
There’s little doubt that it’s a day of reckoning for WikiLeaks cofounder Julian Assange today, after his seven-year long protection inside London’s Ecquador Embassy came to an abrupt end.
Story image
WatchGuard takes to the cloud with new platform
The platform delivers multi-tier and -tenant capabilities, scaling automatically to allow MSPs to create and manage unlimited customer accounts.
Story image
IDC: 2019 security spending to grow 20% in APeJ
“The Asia/Pacific region recognises that its no longer “under-the-radar” as far as breaches, hacks, and legislation is concerned.”
Story image
Yahoo proposes US$117.5m breach settlement - but will it be enough?
Judge Lucy Koh must decide if Yahoo's previous dodgy settlement tactics are forgiven in this latest proposal.
Story image
Cybersecurity spend tops $37b, but still only a fraction of IT investment
As spend continues to increase, cybersecurity only represents 2% of total IT expenditure, even as organisations increase protection against malicious threats and keep in line with data compliance regulations.
Story image
Okta introduces customisable building blocks for identity verification
Passwordless authentication, progressive profiling, per-app branding and unlimited use cases are now possible with the Okta Identity Engine.
Download image
Insider threats & breach reports: Why security needs more investment
Insider threats (those that come from within your organisation) are a serious concern - here's why.
Download
Download image
From magstripe to mobile: The evolution of access management
HID Global examines solutions available today, the future of mobile access, and why it’s critical to ensure that each component of the access control ecosystem is as secure as possible.
Download
Story image
Interview: Uber's CISO reveals lessons learned from breaches
Uber’s chief information security officer John ‘Four’ Flynn has a career history that many technologists could only dream of.
Download image
DNS attackers love legacy systems - but how much damage can they inflict?
DNS infrastructure is vulnerable in terms of its security, availability, and integrity. An attacker just has to exploit the Domain Name System (DNS) on legacy systems and they get free reign. 
Download
Story image
Why multifunction devices need biometric security
PINs, or ID badges on card readers are important basic measures, but can still leave information vulnerable in the case that they’re lost, stolen, or copied.
Story image
Okta enables developers to create unlimited platform integrations
Advanced development functionality provided by Hooks opens the Okta Integration Network to a wide array of new types of custom, secure integrations.
Story image
Okta launches risk-based authentication with machine learning
The new feature will allow enterprises to automate security by implementing significantly stronger authentication techniques and remediation when the scenario calls for it.
Story image
Okta launches $50mil fund to fuel identity solutions startups
The fund will seek out startups that are aligned with Okta's vision of enabling any organisation to use any technology.
Download image
Whitepaper: How to improve your cybersecurity sales pitch
Boards and executives who normally approve funding for IT security projects do not speak tech - they speak the language of ROI, NPV, etc.
Download
Story image
Network security providers dominate cybersecurity - Canalys
Cisco, Palo Alto Networks and Fortinet, all with a strong focus on network security products, outperformed the market, recording strong double-digit growth.
Story image
Five ways to strengthen email security - Barracuda
Organisations need a defence posture that is able to detect and prevent attacks before they cause harm.
Story image
Trend Micro announces security products for Google Cloud Platform, Kubernetes and Gmail
“It is critical for enterprises to remember that they share in the responsibility of what they put in the cloud.”
Story image
How to overcome the multi-cloud security challenge
"A growing number of organisations are making strategic choices to avoid relying too heavily upon any single cloud service provider."
Download image
Whitepaper: The Mobile Risk Matrix - how exposed are you?
The proliferation of cloud services has increased the attack surface to include applications, devices, networks, and external web and content delivery methods.
Download
Story image
Millions of Facebook user records exposed in latest data leak
UpGuard reported that each of the data sets was stored in its own Amazon S3 bucket configured to allow public download of files.
Download image
The 3 essential elements to consider with SaaS security
Speed, ease of use, and low capital expenses are just some of the factors driving the continued growth in SaaS security adoption.
Download
Download image
Whitepaper: How to manage mobile risk in a perimeter-less work environment
Enabling mobility and the ability to access data seamlessly is a great development for enterprise productivity, but it causes a serious challenge to security teams.
Download
Download image
Product review: LogRhythm CloudAI a revolutionary tool
SANS has provided an independent review of a new AI analytics solution designed to rescue businesses 'drowning in data' from SIEM platforms.
Download
Download image
Security and mobility in a mobile-first world
Explore security, productivity, mobility, and what solutions are available to you. Here's how to move your organisation towards the mobile-first world, securely. 
Download
Download image
Case Study: Infoblox protects the network that hosts City University’s curriculum
After recovering from a ransomware attack, City University began to work with Infoblox to bring its network security to the next level.
Download
Story image
AlgoSec launches security and compliance management for multicloud
CloudFlow’s centralised management gives organisations visibility, risk and compliance analysis, and automated detection of misconfigurations.
Story image
Certificate-related outages impact 60% of businesses - Venafi
Certificate-related outages harm the reliability and availability of vital network systems and services while also being difficult to diagnose and remediate.
Story image
Fortinet drives security-based networking with new SD-WAN offerings
At Fortinet Accelerate 2019 in Orlando, the company unveiled its SD-WAN solutions, including what it calls the industry’s first SD-WAN ASIC.
Download image
Whitepaper: Five essential steps to protect your company’s critical data
The increase in devices being used by employees and the number of cloud apps necessitate multiple different channels of accessing a company’s information in a secure manner.
Download
Download image
Digitally transform or fall behind - 3 key points to remember
In this report Unisys details three key areas focus on when implementing a successful digital transformation as with every opportunity comes risk.
Download
Story image
AI-driven security is no longer optional: "It's a requirement"
“The adoption of AI is critical for security teams to gain predictive advantage, particularly to protect against malware and to detect and respond to traditionally evasive non-malware threats."
Story image
Okta brings centralised identity security to servers
“Server access has traditionally relied on shared credentials that may never change, and that creates significant vulnerabilities for large or growing organisations.”
Story image
How technical research can help businesses stay secure
“More organisations should reveal their experiences with cybercrime, rather than try to cover them up."
Story image
Bromium uncovers major malware distribution centre
Over a dozen US-based web servers from far-right linked hosting service are being used to target businesses with mass phishing campaigns spreading malware.
Story image
Sophos offering mobile device management with Microsoft Intune integration
Running on Microsoft Azure, the Sophos integration will enable IT administrators to configure individual device usage policies within Microsoft Intune.
Story image
85% of organisations struggling with access management – Thycotic
More than 50% of the organisations surveyed said privileged accounts never expire or get deprovisioned.
Story image
Survey shows organisations in the dark about shadow mining threat
To be successful and remain undetected, shadow mining depends on deliberately configuring security systems to function incorrectly.
Story image
Combat converged IT and OT security risks - Forescout
At specific risk are healthcare organisations, manufacturers, energy providers, and any business where building management technology is part of the IT network.
Story image
US students hack school WiFi network
Two high school students in the United States were arrested for allegedly hacking their school’s WiFi network to avoid taking a test, proving that education institutions still have work to do when it comes to securing their networks.
Download image
How using syslog-ng to store logs could help your business
Syslog-ng is a high-speed data processor that parses both structured and unstructured log messages.
Download
Story image
Flashpoint global channel strategy seeing dividends
The company’s channel-driven revenue has also grown more than 200% since it signed its first partner in 2015.
Story image
Thales completes 15-month Gemalto acquisition
The combination creates a portfolio of digital identity and security solutions based on technologies such as biometry, data protection, and, more broadly, cybersecurity.
Download image
Whitepaper: How classifying your log messages makes for happier sysadmins
Operating systems, applications, and network devices generate text messages of the events that happen to them.
Download
Story image
Study analyses drones' potential to be weapons of cyber attacks & terrorism
The biggest challenge, according to the research, is finding out what a drone's purpose is in a non-restricted area.
Story image
Sphere Identity launches self-sovereign identity platform
“Customer dropoff, revenue loss, data harvesting, and security breaches have become characteristic of this digital age, for both businesses and consumers.”
Download image
Should you run your central log server in Docker?
Collecting logs can be especially important in a containerized environment, where you start and stop containers around the clock.
Download
Story image
Aruba announces new automated IoT security solutions
When addressing their IoT strategies, organisations globally are faced with new security and connectivity challenges.
Download image
Whitepaper: The key to maximising office space efficiency
Most offices worldwide are approximately 50% under-utilised on any given day, causing issues for facility management in understanding the number of people in a facility.
Download
Story image
Okta announces security layer for on-prem apps
For many organisations, the present and the future will be hybrid, with mission-critical applications residing both on-premises and across multi-cloud environments.
Story image
Streaming services prime targets for credential stuffing attacks
Video and streaming services are prime targets for cyber attackers who attempt to conduct credential stuffing attacks, according to new research from Akamai.
Download image
An insider's tips on how to get more from your Splunk platform
Having the right tools is only half the battle, not until you can leverage them most effectively can you see the gains that properly managed data can provide.
Download
Download image
Can your vulnerability assessments protect your organisation?
33% of enterprises surveyed are at a low maturity, conducting only limited assessments of selected assets.
Download
Story image
Experts and execs comment on Facebook data leak
“Tech companies are the custodians of user credentials and other personally identifiable information, a valuable resource in today's world.”
Download image
Navigating the complicated world of DNS security
Over the years, DNS, both the protocol and the servers, have become the target of a variety of attacks, including the Lion worm.
Download
Download image
Study: Is it possible to detect breaches as they happen
Breaches often happen when businesses least expect them, causing slow reaction times and possibly catastrophic loss.
Download
Story image
Organisations putting stronger focus on data encryption – report
Cloud data protection requirements continue to drive encryption use, with encryption across both public and private cloud use cases growing over 2018 levels
Download image
Are you building (or breaking) digital trust?
Business leaders can wait and be forced to respond to market change, or they can embrace digital and lead market change themselves.
Download
Story image
Honeywell launches online enterprise app store
The Honeywell Marketplace provides direct access to enterprise mobile apps, enabling software vendors to directly engage customers and collaborate with other developers.
Story image
96% of Singaporean businesses breached in the past year
"Our first Singaporean threat report indicates that organisations in Singapore are under intense pressure from escalating cyberattacks."
Download image
Whitepaper: How you can simplify compliance and SIEM with efficient logging
IT environments generate log messages with a variety of functions and significance to an organisation – but they’re only useful if they trigger the necessary responses.
Download