Half of IT Leaders Store Passwords in Shared Docs
Nearly half (46%) of IT and security leaders still store corporate passwords in office documents like spreadsheets, exposing their organization to significant cyber risk, according to a new study.
Identity management vendor Hitachi ID polled 100 executives across EMEA and North America to understand better how secure their password management is.
It estimated that each employee might have as many as 70-100 passwords and “decentralized secrets” that could be used by attackers to gain access to and move through an organization.
Although nearly all (94%) respondents claimed they require password management training, with 63% saying they do so more than once a year, many appear not to be following their own advice. Just 30% said they use company-provided password managers, and some even resort to pen and paper.
“It raises an important question about how effective password management training is when nearly half the organizations are still storing passwords in spreadsheets and other documents, and 8% write them on sticky notes,” said Nick Brown, Hitachi ID CEO.
“Insecure passwords are still a leading cause of cyber-attacks, and education alone is clearly not enough.”
Question marks were also raised about the risks posed by departing employees. Only a third of respondents said they were “somewhat” (20%), “moderately” (8%) or “extremely” confident (5%) that they could transfer passwords, terminate access and maintain business continuity if they urgently need to terminate an employee.
Last year it emerged that a former employee at a credit union destroyed 21GB of corporate data, including 20,000 files and almost 3500 directories in retaliation for being fired.
Although a colleague requested that the firm’s IT support provider disable the woman’s network access, she was apparently able to able to use her username and password as normal for around 40 minutes.
Some 29% of respondents to the Hitachi ID study said they’d experienced an incident in the past year where they lost access to systems after an employee left the organization.