Data breaches and security incidents continue to make the headlines as a constant reminder to enterprises, SMBs and other organizations of the threats to which they are exposed. Even as data security and regulatory compliance policies get stricter, and security products become more sophisticated, bad actors keep finding new ways of infiltrating the intellectual property of organizations. No one is exempt no matter their industry, sector, location, or size. While SMBs may once have believed they were under the radar, that hasn’t been the case for a long time now – often they have much larger companies as customers, and this makes the potential gain for fraudsters greater and the consequences of a security breach more severe.
Despite IT departments taking the steps needed to protect their organization from cyber-attacks – from hardening the network infrastructure against infiltration, to implementing firewalls and securing endpoint devices – password security, although seemingly relatively straightforward, is often overlooked. Organizations are spending millions of dollars securing their infrastructure, but more often than not, it’s their trusted employees who are unintentionally putting their intellectual property at risk due to poor password management practices.
Passwords have long been the weakest link when it comes to IT security and a leading source of data breaches. In fact, in 2021 over 60 percent of the data breaches that were reported were password and credentials related. And in one of the most recent breaches reported, Ransomware disclosed that it breached chipmaker AMD’s network on January 5, 2022. The cyber extortion group claims that simple passwords such as “123456”, “password” and “Welcome1” used by AMD employees enabled the data breach.
Companies have implemented SSO to help protect their organizations from breaches, but what about all the other passwords that are not connected to SSO – for legacy applications, unauthorized applications, network systems and encrypted documents?
Despite strict password policies, bad password management practices among employees are putting organizations at risk
Putting strict password policies in place to address all of the accounts not connected to SSO is one way of dealing with things. However, while created with the best of intentions in mind, password management policies that require every password created to be strong and distinct and to be changed every couple of weeks, are impossible to enforce and police without the right tools in place to help. If you consider the sheer number of passwords the average employee uses, adhering to these policies is just too much. Employees are responding by creating weak, memorable passwords that are easy to remember (and subsequently easy to crack) or writing more complex passwords on sticky notes and in plain text files. Many are also reusing the same password across multiple accounts and are without a secure way of sharing passwords with other team members. All these actions are compromising data and putting businesses at huge risk.
Furthermore, the prevalence of shadow IT, which has long been an ongoing challenge for IT departments, has continued to grow as remote working becomes the new norm. Employees are turning to “unsanctioned” applications – email accounts, messenger platforms, video conferencing products, collaboration tools and file-sharing services – to help them do their jobs more efficiently. This is increasing businesses’ exposure to risk, leaving intellectual property and data open to cyberattacks.
Bearing in mind the average cost of a data breach in 2021 for US companies was estimated at $4.24 million, the business case for organizations to incorporate password management solutions into their wider security strategy is clear. So why is it that despite their proven ability to control password hygiene by generating strong and unique passwords, auto-filling passwords, and credentials, storing passwords and files, and auditing password security, 70% of organizations are still not using a password manager?
Concerns over data security and compliance are preventing organizations from implementing password management solutions
The number one reason relates to concerns over where data is stored – security and compliance.
The approach shared by many of the password management solutions on the market today requires business-critical data such as passwords and other sensitive data to be stored outside their organization – on the service provider’s cloud. For businesses that are highly regulated, with strict data compliance rules and security policies this is not a viable option. They are either mandated not to or just do not want their passwords and other sensitive data to be stored outside the trusted boundaries of their infrastructure. Not to mention the security issues and concerns about ongoing compliance with data protection laws such as GDPR and CCPA. Managing and maintaining data compliance is a huge burden on businesses so it is no wonder they want to avoid the additional complexity of storing data outside of the boundaries of their IT infrastructure.
Self-hosted solutions designed to keep an organization’s credentials and other files within the trusted boundaries of their local IT infrastructure provide an alternative approach. However, there are inconveniences that come with this. Self-hosted solutions require additional resources to manage on-premises server installation and the ongoing burden and overheads associated with monitoring and patching that come with additional resource requirements and cost. They need to be constantly monitored and all machine software (OS bundled and dependencies) need to be patched for vulnerabilities. What’s more, when it comes to self-hosted solutions, security not only depends upon the product, but on the software required to run it. When it comes to keeping products updated to the most recent version, self-hosted solutions have been found to be slow – the resources and overheads required to test prior to deployment, concerns about downtime and fear of patches disrupting workflows have all been barriers. In the case of publicly reported vulnerabilities such as the Zoho ManageEngine ADSelfService Plus password manager earlier this year, this gives attackers a window of opportunity to exploit the situation.
Are “offline” password managers the wave of the future?
A new wave of “offline” password management solutions is responding to the concerns and needs of organizations. This approach empowers businesses to keep their passwords and other sensitive data and files within their IT infrastructure, with no need for self-hosting of additional servers. Sometimes referred to as local password managers, they give businesses the freedom to choose where they store their data – on employee devices, or in their existing business cloud which means it stays compliant with existing data policies.