Weak Passwords Are Costing Enterprises Millions

Homeowners can put every security measure in place available to them, from security cameras to alarm systems and so on, but if they leave the front door open, the invitation for a robber is essentially signed, sealed and delivered.

The same goes for a business and its IT administration. The most basic function of protecting data in the enterprise is to not allow unauthorized users access, and that usually comes via username and password. The password is the front door to a company’s sensitive data, and a new study explains that most enterprises aren’t just keeping it unlocked, but fully open for entry.

A survey conducted by OneLogin pulled responses from more than 500 IT decision makers in the U.S. who have influence over their company’s security processes and found some harrowing results, from companies not enforcing stronger passwords to IT departments not using newer technologies to safeguard their data.

Some key findings showed:

• 25% of companies don’t require user passwords to meet a minimum length requirement
• Only 24% of companies require users to rotate passwords on a monthly basis
• Less than half – 49% – of companies require internal users to follow a basic password complexity policy
• Only 36% are using multi-factor authentication internally and 34% are using multi-factor authentication to manage external access

The figures are disparaging, to say the least, especially in a time when hacks have become commonplace and companies of all sizes and industries are constantly being targeted by cyber criminals. But the cost of bolstering security measures – better password control, stronger authentication practices – pales in comparison to what the damage of a breach could do to an enterprise’s bottom line.

As previously reported by Enterprise Mobility Exchange, while the average cost of a breach across the globe dropped from $4 million to $3.62 million, the U.S. bucked the trend and saw an uptick from $6.69 million to $7.35 million for the average cost of a breach.

Businesses large and small need to ask themselves a simple question: are lackluster password controls worth millions of dollars in damage?

Some companies are moving beyond the password altogether, proving its effectiveness is no longer stronger enough to contend with hackers. For example, health insurance provider Aetna announced earlier this year it would be moving to a mixed form of behavioral based and biometric authentication.

The company’s Director of Global Security Innovation, Brian Heemsoth, says in the past authentication has been a single event, taking place only when an application is launched, but as mobile use moves forward – and security becomes the single-largest mobile priority – authentication will take on new forms like continuous, risk-based, native integration into application interactions.

Password protection spans the entire device landscape – from desktop equipment to mobile – truly is the first line of defense for enterprises. Security is business critical enterprise wide, and should be treated with the same importance as the lock on the front door.