Does It Make Sense to Leave Email Security to Tech-Fatigued Employees?
Business professionals outside the managed IT sector doesn’t always understand how hackers obtain employee passwords to perpetrate a data breach. From a non-tech point of view, no one seems to be looking over your shoulder when you log on to the network. But given all the splashy headlines about massive data breaches, it’s safe to say digital thieves have proven tools at their disposal. Industry leaders need two questions answered about employee passwords. How bad is your password security? And what can you do to harden your defenses?
Employee Password Fatigue Puts Businesses at Risk
One of the reasons digital thieves have been so effective is that everyday people have wide-ranging online accounts and tend to suffer from “password fatigue.” CPO Magazine indicates that among 1,000 employees, you are likely to find only about 25 unique passwords.
That’s mainly because living and working in the digital age tasks people with having passwords for bank accounts, credit cards, live streaming, e-commerce, personal email, and business profiles, among many others. Being asked to remember all of those usernames and accompanying passwords overwhelms even the most security-minded individual. Using easy-to-remember passwords and repeating them across platforms tends to be practical, and the following statistics bear that out.
- Upwards of 65 percent of internet users copy the same passwords across multiple platforms
- Only 35 percent of people use a different password on every account
The primary concern for organizations is that a reported 80 percent of data breaches in 2019 resulted from compromised passwords. Adding to that injury, more than 90 percent of those polled understood the risk of repeated passwords. Nearly 60 percent did it anyway. Weak and repetitious passwords are like low-hanging fruit for garden variety hackers who use three primary methods to discover passwords.
- Brute Force: Online criminals employ automated software to match a username with a password. When companies allow staff members to use their company email as a username, hackers have 50 percent of the puzzle. When commonly used passwords such as a local sports team, favorite band, or “password123” are selected, systems get breached quickly.
- Dictionary Hacks: Another automated method involves running a refined dictionary of terms against a username. These word and character choices typically include overused passwords. What makes these so risky is that a hacker could be after someone’s credit card account and gain access to your entire business network due to repeated passwords.
- Social Engineering: Although technically not considered a “hack,” social engineering typically uses email as a pathway. Digital scammers send phony emails or electronic messages that appear legitimate. They may resemble a supervisor’s email or a trusted colleague. The end goal is to have an unsuspecting employee give them a password or sensitive information. If you believe your boss just asked for your password, you are inclined to comply with that request. That’s why social engineering remains an effective scam.
To say the password landscape is a cybersecurity disaster would be something of an understatement. So, what can you do about it?
How to Harden Your Password Cybersecurity
The first step to secure passwords calls for admitting the truth. No matter how much confidence you have in team members, someone will fail to follow the organization’s cybersecurity guidelines. The facts about password fatigue support that conclusion. Password fatigue also rules out insisting employees use strong passwords that include random letters, numbers, and characters. That’s why automated managed IT solutions are necessary.
Organizations that leverage technologies such as two-factor authentication, multi-factor authentication, and random password generators, among others, help eliminate bad habits that increase data breach vulnerabilities. You can trust valued employees with many things. Consistently using secure passwords is not one of them.