With Data Privacy Day looming this weekend, experts are warning companies to close up lingering process gaps as Australian companies continue to fall behind world’s best practice in areas such as managing passwords and preventing users from sharing them.
A recent Ovum Research-LastPass study, Close the password security gap: convenience for Asia-Pacific employees and control for IT, found that nearly 80 percent of APAC IT executives lack controls over password security and were relying on end users to practice good password safety in lieu.
That was a big ask given that 22 percent of Australian respondents said they had shared credentials with co-workers and 11 percent had shared passwords with third parties. This was well ahead of the 16 percent average for the APAC region.
Such practices came despite respondents indicating they are well aware of the dangers of poor password practices: Fully 47.46 percent of respondents rated the sharing of passwords on paper as the highest-risk of six behaviours – just ahead of using weak passwords (42.37 percent), sharing passwords via email, messaging or text (41.53 percent), or reusing passwords (34.75 percent).
The warnings corroborate other new data highlighting the poor state of security practices: Okta’s latest Businesses @ Work 2018 report, for example, analysed anonymised data from the company’s enterprise authentication tool to evaluate application usage and application-based attack trends over the past year.
Chinese IP addresses accounted for 48 percent of all observed attacks, well ahead of the US (7.7 percent), France (4.5 percent), and Russia (3.4 percent); reflecting the truly global nature of cybercrime, however, fully 23 percent of attacks came from Tor exit nodes.
An Okta analysis of a separate breached password list showed that just 49.5 percent met the NIST recommendation of using at least 8 characters, while just 4 percent of currently-used passwords would meet the ideal of having at least 8 characters, one uppercase letter, one lowercase letter, and one number.
“When given the option, users often choose shorter passwords,” the report noted. “While strong, smart password policies are a start, they’re not a silver bullet – and they’re not going to help at all if you’ve given over your credentials through a successful phishing attack.”
The user imperative
With many companies tightening their controls and threatening punitive action against insecure employees in the leadup to this year’s Notifiable Data Breaches-GDPR compliance double-whammy, the existence of Data Privacy Day – commemorated annually on 28 January – serves as a reminder of the importance of improving access control policies and practices.
“Data Privacy Day recognises the increasing—and often neglected—need to strengthen security to protect data and privacy,” Forcepoint ANZ senior director and general manager Guy Eilon said in a statement.
“In a hyper-connected world where consumers are willing to provide their personal data in order to get a service or a good deal online, data breaches have become a norm rather than an exception….These moments of legislative history present an opportunity for organisations to step up their security efforts and build a culture that upholds the need to protect customer data.”
“Data Privacy Day is a good reminder for organisations to build a human-centric security approach, which focuses on the interaction of people and critical data to not only protect their business and customer’s data but also their employees and Intellectual Property.”
Many companies are starting to do that with more regularity, Okta said, noting that seven of the 15 fastest-growing apps in its network were security tools or have security use-cases. Use of apps from security awareness training company KnowBe4, for example, grew 290 percent over the past year, leading Okta to conclude this indicated “organisations’ increased focus on training employees around security best practices and ways to combat social engineering attacks”.
“Stringent” password policies and 2-factor authentication were “crucial”, the report noted, as developers’ demand for better tools continues to grow.
Correlating these attacks against publicly-available threat-intelligence data revealed a range of repeat offenders as well as attacks coming from IP addresses that were previously unknown to be threat sources. This led the analysts to one conclusion: “cloud services are getting attacked – a lot,” the report noted, “and these cloud attacks are not evenly distributed throughout the world.”
Organisations should, the firm recommended, improve security detection and monitoring, leverage threat feeds from both open-source and paid sources, and block dark web or high-risk geographies from which they do not expect to have legitimate business.