To coincide with Australia’s annual cybersecurity awareness event, Stay Smart Online Week, LastPass by LogMeIn has recently released the results of its 3rd annual Global Password Security Report, a study that offers insights into employee password behaviours and emerging trends around identity and access management.
The report, of more than 47,000 organisations using LastPass, found that while more businesses are investing in security measures like multi-factor authentication (MFA), employees still have poor password habits that impact their companies’ overall security posture.
The report found that employees in small businesses (1-25 employees) have an average 85 passwords, while larger companies (1,001-10,000 employees) have an average 25 passwords. The average Australian employee has 66 passwords. Very few of these passwords are completely unique, and globally, Australia ranked equal second highest for the average number of passwords reused per person (14). Due to greater availability of resources and awareness of regulations, larger businesses may be more likely to have Single Sign-On (SSO) solutions in place that enable employees to access more apps with fewer passwords. However, less than 50% of all businesses have an SSO solution that could make it easier for employees to manage passwords.
Positively, the study found that more businesses are actively investing in security measures like multifactor authentication (MFA). Globally MFA use grew from 12 per cent to 57 per cent in 2019. Australian adoption of the technology has also increased significantly among LastPass users, from 6 per cent to 29 per cent in the past 12 months. Given that compromised or stolen credentials underpinned most cyber incidents that led to data breaches in the first year of the Notifiable Data Breaches (NDB) scheme; the shift towards MFA shows that measures to reduce the risk of stolen credentials are being implemented.
The report’s release and its findings coincide as well with this year’s Stay Smart Online Week theme of “Reverse the Threat”, which aims to empower Australians take control of their online identity by educating them on threat prevention such as MFA and stronger password creation tactics.
Lindsay Brown, Vice President of APAC at LogMeIn, said, “Australian businesses are starting to take greater control of their password security – a likely result of regulatory changes across the industry. Unfortunately, MFA use alone cannot protect an organisation and overall security hygiene must be elevated if we’re to see better results in the next Notifiable Data Breach Report.”
“Securing employee access has never been more important and unfortunately, we see businesses ignore password security altogether, or only half-heartedly attempt to address it,” said Gerald Beuchelt, Chief Information Security Officer at LogMeIn. “This report further highlights the importance of using the identity and access management tools available to information security managers in addition to maintaining focus on employee training to improve password habits.”