World Password Day
The first Thursday of May is designated World Password Day, which is arguably more important than before given that several organizations all over the globe have some percentage of their workforce operating remotely in response to the COVID-19 pandemic.
On 7 May, OneLogin released a new study that looked at approximately 5,000 remote workers across the United States, the United Kingdom, France, Germany, and Ireland, with the aim of determining how remote work has impacted cybersecurity and password practices. While 63 percent of respondents believe that businesses will continue encouraging remote work post-pandemic, OneLogin’s study also found that in many regions best practices concerning passwords have not been a priority. This combination means that organizations’ data is at risk.
A few significant findings from the study include the following:
- U.S. remote workers are three times more likely than French remote workers to use work devices for accessing websites featuring “adult entertainment.”
- 36 percent of global respondents admitted they have not changed their home WiFi password in more than a year, leaving corporate devices exposed to a potential security breach.
- A third of U.S. respondents have downloaded an app on their work device without approval.
“From high-risk sites to video streaming channels, the fact is that users are exposing their businesses to vulnerabilities by accessing non-verified and insecure web pages,” said Alexa Slinger, OneLogin’s customer enablement operations manager.
Slinger pointed to a few actions that organizations can take to reduce their exposure to potential attacks, including ensuring that all users keep their web browsers and applications updated with the latest security patches and enable pop-up blockers; running antivirus- or malware-detection programs regularly on all corporate devices; and refusing admin access to end users, which can prevent a user’s ability to download potentially harmful software and minimize the damage from a bad download.
Using your pet’s name as your password? 🐶 You’re not alone! Check out our #WorldPasswordDay blog on common password habits to avoid so you can stay secure. https://t.co/DYeeJM9p6g pic.twitter.com/kppBjcaJmN— McAfee Home (@McAfee_Home) May 7, 2020
One significant issue highlighted by the study is the practice of workers sharing device passwords with their partners and children. In fact, an estimated one out of five, or 21 percent, of U.S. workers have shared a work-related password electronically, which is more than twice as many as UK employees (7.8 percent).
Given that sharing passwords could expose corporate data, the outcome could be a problem if a password is discovered by someone willing to exploit that access.
Essentially, sharing your password is not unlike sharing your social security number or another unique identifier, Slinger said. Although a family member may not be intentionally trying to compromise a work device, they’re still a point of access. “Let’s say you share your password with your child, who is homeschooling due to COVID-19, and they decide to hop onto your work laptop to write an assignment,” Slinger postulated. “Next, they send that document to their teacher to look over, which is reviewed and sent back to your corporate device. The teacher unknowingly has malware on their computer, and a virus hitches a ride on the document back to you, exposing the corporate network to damage and compromising other identities where you may be reusing this password.”
The World Economic Forum noted in January that four out of five global data breaches are perpetrated from weak and stolen passwords.
“As users create more accounts for social media profiles, email addresses, financial services portals, online gaming profiles, corporate accounts, and more, they often opt to reuse the same password and username combination being used to login to applications, which means it can still be attacked by a bad actor who gains access to the information,” said Ben Goodman, a senior vice president of global business and corporate development for ForgeRock, a multinational identity and access management software company.
Goodman suggested leveraging technological advances to counteract password vulnerabilities, such as biometric authentication. “By adopting a passwordless approach, organizations provide users with frictionless, secure digital experiences.”
#WorldPasswordDay! @CISAgov & @NCSC recently exposed malicious “#password spraying” campaigns against healthcare and other essential organizations. Check out their tips to protect your organization from #PasswordSpraying 👇 & learn more here: https://t.co/YYPv27MMIQ pic.twitter.com/c2mURWlZp7— Cybersecurity (@cyber) May 7, 2020
Compromising password security is not the only vulnerability for remote workers. On 8 April 2020, the U.S. Department of Homeland Security‘s Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre released a joint alert concerning cybercriminals’ exploitation of the pandemic.