Skip to main content

Passwords unconfidential

(Image credit: Image source: Shutterstock/scyther5)

Passwords, security checks and data protection are part of our everyday personal and professional lives. However, with so many passwords and pins to remember, it can sometimes be extremely difficult to keep track. In a world where it seems that instances of hacking are becoming increasingly commonplace, do we really understand the consequences of our online activity?

We recently commissioned research which looked into this very topic. We found that – above all - British workers are becoming careless about protecting their data and avoiding cyber-crime. The survey of 2,000 workers revealed that almost half (46 per cent) of Brits admit they have the same password for all devices and platforms at work.

When considering that these workers are using dozens of online services during the working day, all of which require passwords and pin numbers, these small careless instances can really add up. Indeed, a report published by Last Pass recently revealed that the average business employee must keep track of 191 passwords; a staggering amount.

Understandably, each user would like to access these services as quickly as possible, which is often the reason why the same passwords are used for numerous sites. However, whilst this may be a more convenient approach – as it allows workers to access the services they need faster – it also comes with huge risks.

Recent research by Verzion published in the Data Breach Investigation Report** found that 81 per cent of data breaches are due to weak, reused or stolen passwords.

Despite it being common sense to not base passwords on easily-researched information (such as birthdays, family members), a further one in four confessed to using these kinds of keywords when hiding a range of sensitive material online.

Perhaps unsurprisingly, given these figures, research also uncovered that the three most common passwords used by UK workers contain date of births (37 per cent), spouses’ names (22 per cent), and children’s names (18 per cent).

The much-publicised Apple iCloud cyber-attack, in which over 500 celebrity accounts were hacked and sensitive images publicly shared, is one such example of this. Following the scandal, it emerged that hackers had simply “guessed” the passwords and security details of their victims to gain access. Clearly, then, this is a widespread issue.

GDPR: a new era in password protection?

The question of weak passwords is something particularly concerning for business owners ahead of the General Data Protection Regulation (GDPR) which is due to come into force on 25th May 2018.

The new laws state that British organisations will need to be able show that privacy and security safeguards are built into products (such as mobile apps) and services, from the earliest stage of development. This specifically mentions encryption and pseudonymisation to separate personally-identifiable information from other data.

Firstly, considering that cyber threats are at an all-time high, businesses are potentially exposing themselves to significant fines and the risk of reputational damage as a result of an endemic laissez-faire attitude towards digital security amongst workers.

GDPR, which involves the biggest changes to Europe’s data protection rules in two decades, means that there is now even greater attention being paid to how even the smallest companies are recording, storing and processing users’ data.

Passwords currently used by British workers are not only a huge issue - as external parties can potentially access confidential business documents and information by guessing passwords - but this also suggests that British businesses are failing to enforce basic policies to ensure their company information is secure.

Secondly, businesses should not only ensure that data security policies are updated to be in line with GDPR and enforce this within their existing workforce, but also take steps to safeguard their processes to protect company data when staff move on.

Just a quarter of (24 per cent) British workers said their company changes passwords for key digital accounts and services when a member of staff leaves employment. This suggests that 76 per cent of British businesses could be at risk of their former employees continuing to access confidential company files and information.

What’s more, GDPR will enforce greater fines and further regulation requirements, including the requirement to appoint data protection officers in businesses of 250 staff or more, and obtaining a positive opt-in from users in order to be able to process their data. This is set to place even more pressure on large organisations to adhere to the new data protection guidelines.

By appointing a data protection officer to implement company processes and practices amongst the workforce, UK companies can ensure that their data is properly stored and protected amongst their current and former employees.

Lax attitudes to working practices

Not only are workers taking a worryingly relaxed attitude to confidentiality and cyber security in work, 74 per cent of workers admitted to using personal technology to freely access their work documents and data.

Half (52 per cent) of UK workers access their work emails on an unsecure personal device such as a mobile phone or laptop, meaning many are running the risk of leaking confidential business communications. More than a third (35 per cent) of workers have professional documents stored on gadgets which are not password protected.

This figure may not be surprising, with the increase in remote working for staff who are not based within a traditional office environment, those working away from their desks or even mobile and home workers. However, what people don’t realise is that mobile devices can be susceptible to become infected with malware which can infiltrate company servers.

This comes in the wake of Hillary Clinton being labelled ‘extremely careless’ for using personal technology and unsecure servers for state related business, showing this type of behaviour is widespread.

Those working in the financial services industry (81 per cent) were revealed as the worst offending employees, putting sensitive client information at risk by using personal gadgets for professional communication, followed by legal industry workers (79 per cent) and those in the education sector (76 per cent).

To reduce the risk of attacks, and provide a more secure way for remote workers to access company networks, organisations should take a combination of steps to ensure data is protected.

Always ensure data transfers occur via secure channels such as an encrypted VPN.  This will reduce the likelihood that data can be intercepted when staff are -for example- connecting via a public WiFi hotpot.

It’s also important to ensure data sharing is handled via secure methods.  This may mean rethinking a few things that are often taken for granted like email. Instead, look to secure sharing services to send valuable information and files.

You can also improve security using strong policy enforcement technologies.  That can mean security software and policy control on PCs and laptops. For smartphones and tablets, Enterprise Mobility Management (EMM – which incorporates MDM), is also vital, especially where BYOD is permitted.

As there is now a date looming for GDPR to come in to place next year, which outlines the importance of data handling and storing, now is a key time for British businesses to review their current data processing but also implement new processes and procedures amongst their workforce to help benefit and protect the company from potential attacks.

There are various servers and products available for businesses of all sizes to help secure data from hackers and cyber-crime. The best advice we would give is to speak to IT support departments and service providers to plan out the next steps to secure company data.

Mark Lomas, Technical Consultant
Image source: Shutterstock/scyther5