Report: Employees Continue to Miss the Mark on Password Security

Cloud and bring-your-own-device adoption are prevalent at US enterprises, but despite the connection between personal device and account security and enterprise data security, the majority of employees reuse passwords and share credentials with family members, according to Ping Identity research. The Ping Identity 2015 Online Identity Study shows that 11 percent of employees believe they can be held accountable for a breach at their organization.

Ping Identity surveyed 1,000 employees at US enterprises in October, and asked them about their perceptions and experiences of personal and corporate security. The results show a clear disconnect between employees practices and their perceptions, as well as the expectations of their employers.

To tackle this issue, several large service providers have launched BYOD or access management products recently, including VMware and Symantec.

Company password and authorization measures are considered “good” or “excellent” by employees, and over three-quarters of enterprise employees are prompted regularly to change their passwords. While 60 percent of employees do work activities on a personal device, and 55 percent do personal activities on a work device, 54 percent have shared login information with a family member, and nearly half are likely to reuse work-related passwords. Further, despite regular prompting to change passwords for work accounts, only one-third of employees have changed personal passwords within the last month.

“Employees are doing some things really well to keep data secure, like creating unique and difficult­ to ­guess passwords, but are then reusing passwords across personal and work accounts or sharing them with family or colleagues,” Andre Durand, CEO of Ping Identity said. “No matter how good employees’ intentions are, this behavior poses a real security threat. IT continues to shoulder the burden of enabling mobility in a secure manner and educating employees on safe online behavior, but those efforts are falling short, too. This is a defining moment for CISOs and CEOs, and tackling these pervasive disconnects will require both to come together to rethink how they ensure that the right people have access to the right data from any device, no matter where they are.”

The study also suggests that employees would sell their various passwords for various amounts, though the main take-away from that section is probably that they are more careful about work accounts than personal ones, an attitude also reflected elsewhere in the study.