Strong passwords don’t matter if employees don’t secure them

The line between personal and professional use of apps and devices continues to blur, and while employees claim to prioritize online security, data fro Ping Identity shows they are struggling to consistently follow best practices and take accountability for their actions. In the event of a data breach, most employees say the blame would fall on IT and not on their own risky behavior.

“Employees are doing some things really well to keep data secure, like creating unique and difficult-to-guess passwords, but are then reusing passwords across personal and work accounts or sharing them with family or colleagues,” said Andre Durand, CEO of Ping Identity. “No matter how good employees’ intentions are, this behavior poses a real security threat. IT continues to shoulder the burden of enabling mobility in a secure manner and educating employees on safe online behavior, but those efforts are falling short, too. This is a defining moment for CISOs and CEOs, and tackling these pervasive disconnects will require both to come together to rethink how they ensure that the right people have access to the right data from any device, no matter where they are.”

The results revealed that while enterprise employees claim to prioritize online security and understand risky versus safe behavior, they fail to follow best practices consistently. Unsafe password practices were particularly noteworthy given the high value respondents place on their passwords.

• 58 percent of respondents believe that protecting work-related information is very important — even more so than their personal emails and home addresses.
• Even though 78 percent believe that it’s risky to share passwords with family members, 37 percent are likely to do so. The majority of respondents (54 percent) also admit to sharing their login information with family members so they can access their computers, smartphones and tablets.
• Half of respondents admit that they are likely to reuse passwords for work-related accounts. Nearly two-thirds (62 percent) are likely to reuse passwords for personal accounts.
• While 66 percent say they wouldn’t give up their personal email login credentials for anything, a surprising 20 percent would trade them for a paid mortgage or rent for one year, and 19 percent would give up their personal email login credentials to pay off student loans or higher education tuition.
• People are more careful concerning their work login credentials: 74 percent would not give up their work email login credentials for anything.

The survey respondents credit IT for implementing good or excellent password policies and enforcement. However, they also lack confidence in the IT department’s efficacy in preventing data breaches. In the event of a data breach, most employees say the blame would fall on IT rather than their own personal risky behavior.

• 82 percent say their company has good or excellent password and authorization measures in place.
• 76 percent are prompted to change their passwords every one to three months by IT.
• 59 percent believe IT is ultimately accountable in the event of a corporate data breach. C-level executives are the next to be held accountable, at 17 percent.
• Only one in 10 employees (11 percent) believe they can be held accountable for a breach.

Ping Identity surveyed 1,000 employees at U.S. enterprise organizations (classified of having more than 1,000 employees).